Exemplo n.º 1
0
    def generate_crl(self):
        openssl_lock.acquire()
        try:
            conf_path = os.path.join(self.path, TEMP_DIR, 'crl.conf')
            conf_data = CERT_CONF % (self.id, self.path,
                app_server.key_bits, CA_CERT_ID)
            with open(conf_path, 'w') as conf_file:
                conf_file.write(conf_data)
            args = [
                'openssl', 'ca', '-gencrl', '-batch',
                '-config', conf_path,
                '-out', self.crl_path
            ]
            subprocess.check_call(args, stdout=subprocess.PIPE,
                stderr=subprocess.PIPE)
            os.remove(conf_path)
        except subprocess.CalledProcessError:
            logger.exception('Failed to generate server crl. %r' % {
                'org_id': self.id,
            })
            raise
        finally:
            openssl_lock.release()

        for server in self.get_servers():
            if server.status:
                server.restart()
Exemplo n.º 2
0
 def _cert_request(self):
     openssl_lock.acquire()
     try:
         args = [
             'openssl',
             'req',
             '-new',
             '-batch',
             '-config',
             self.ssl_conf_path,
             '-out',
             self.reqs_path,
             '-keyout',
             self.key_path,
             '-reqexts',
             '%s_req_ext' % self.type,
         ]
         subprocess.check_call(args,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
     except subprocess.CalledProcessError:
         logger.exception('Failed to create user cert requests. %r' % {
             'org_id': self.org.id,
             'user_id': self.id,
         })
         raise
     finally:
         openssl_lock.release()
     os.chmod(self.key_path, 0600)
Exemplo n.º 3
0
 def _cert_create(self):
     openssl_lock.acquire()
     try:
         args = ['openssl', 'ca', '-batch']
         if self.type == CERT_CA:
             args += ['-selfsign']
         args += [
             '-config',
             self.ssl_conf_path,
             '-in',
             self.reqs_path,
             '-out',
             self.cert_path,
             '-extensions',
             '%s_ext' % self.type,
         ]
         subprocess.check_call(args,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
     except subprocess.CalledProcessError:
         logger.exception('Failed to create user cert. %r' % {
             'org_id': self.org.id,
             'user_id': self.id,
         })
         raise
     finally:
         openssl_lock.release()
Exemplo n.º 4
0
    def _revoke(self, reason):
        if self.id == CA_CERT_ID:
            raise TypeError("Cannot revoke ca cert")

        if not os.path.isfile(self.cert_path):
            logger.warning("Skipping revoke of non existent user. %r" % {"org_id": self.org.id, "user_id": self.id})
            return

        openssl_lock.acquire()
        try:
            self._create_ssl_conf()
            args = [
                "openssl",
                "ca",
                "-batch",
                "-config",
                self.ssl_conf_path,
                "-revoke",
                self.cert_path,
                "-crl_reason",
                reason,
            ]
            proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            returncode = proc.wait()
            if returncode != 0:
                err_output = proc.communicate()[1]
                if "ERROR:Already revoked" not in err_output:
                    raise subprocess.CalledProcessError(returncode, args)
            self._delete_ssl_conf()
        except subprocess.CalledProcessError:
            logger.exception("Failed to revoke user cert. %r" % {"org_id": self.org.id, "user_id": self.id})
            raise
        finally:
            openssl_lock.release()
        self.org.generate_crl()
Exemplo n.º 5
0
    def generate_crl(self):
        openssl_lock.acquire()
        try:
            conf_path = os.path.join(self.path, TEMP_DIR, 'crl.conf')
            conf_data = CERT_CONF % (self.id, self.path, app_server.key_bits,
                                     CA_CERT_ID)
            with open(conf_path, 'w') as conf_file:
                conf_file.write(conf_data)
            args = [
                'openssl', 'ca', '-gencrl', '-batch', '-config', conf_path,
                '-out', self.crl_path
            ]
            subprocess.check_call(args,
                                  stdout=subprocess.PIPE,
                                  stderr=subprocess.PIPE)
            os.remove(conf_path)
        except subprocess.CalledProcessError:
            logger.exception('Failed to generate server crl. %r' % {
                'org_id': self.id,
            })
            raise
        finally:
            openssl_lock.release()

        for server in self.get_servers():
            if server.status:
                server.restart()
Exemplo n.º 6
0
 def _cert_request(self):
     openssl_lock.acquire()
     try:
         args = [
             'openssl', 'req', '-new', '-batch',
             '-config', self.ssl_conf_path,
             '-out', self.reqs_path,
             '-keyout', self.key_path,
             '-reqexts', '%s_req_ext' % self.type,
         ]
         subprocess.check_call(args, stdout=subprocess.PIPE,
             stderr=subprocess.PIPE)
     except subprocess.CalledProcessError:
         logger.exception('Failed to create user cert requests. %r' % {
             'org_id': self.org.id,
             'user_id': self.id,
         })
         raise
     finally:
         openssl_lock.release()
     os.chmod(self.key_path, 0600)
Exemplo n.º 7
0
 def _cert_create(self):
     openssl_lock.acquire()
     try:
         args = ['openssl', 'ca', '-batch']
         if self.type == CERT_CA:
             args += ['-selfsign']
         args += [
             '-config', self.ssl_conf_path,
             '-in', self.reqs_path,
             '-out', self.cert_path,
             '-extensions', '%s_ext' % self.type,
         ]
         subprocess.check_call(args, stdout=subprocess.PIPE,
             stderr=subprocess.PIPE)
     except subprocess.CalledProcessError:
         logger.exception('Failed to create user cert. %r' % {
             'org_id': self.org.id,
             'user_id': self.id,
         })
         raise
     finally:
         openssl_lock.release()
Exemplo n.º 8
0
 def _cert_create(self):
     openssl_lock.acquire()
     try:
         args = ["openssl", "ca", "-batch"]
         if self.type == CERT_CA:
             args += ["-selfsign"]
         args += [
             "-config",
             self.ssl_conf_path,
             "-in",
             self.reqs_path,
             "-out",
             self.cert_path,
             "-extensions",
             "%s_ext" % self.type,
         ]
         subprocess.check_call(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     except subprocess.CalledProcessError:
         logger.exception("Failed to create user cert. %r" % {"org_id": self.org.id, "user_id": self.id})
         raise
     finally:
         openssl_lock.release()
Exemplo n.º 9
0
    def _revoke(self, reason):
        if self.id == CA_CERT_ID:
            raise TypeError('Cannot revoke ca cert')

        if not os.path.isfile(self.cert_path):
            logger.warning('Skipping revoke of non existent user. %r' % {
                'org_id': self.org.id,
                'user_id': self.id,
            })
            return

        openssl_lock.acquire()
        try:
            self._create_ssl_conf()
            args = [
                'openssl', 'ca', '-batch', '-config', self.ssl_conf_path,
                '-revoke', self.cert_path, '-crl_reason', reason
            ]
            proc = subprocess.Popen(args,
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE)
            returncode = proc.wait()
            if returncode != 0:
                err_output = proc.communicate()[1]
                if 'ERROR:Already revoked' not in err_output:
                    raise subprocess.CalledProcessError(returncode, args)
            self._delete_ssl_conf()
        except subprocess.CalledProcessError:
            logger.exception('Failed to revoke user cert. %r' % {
                'org_id': self.org.id,
                'user_id': self.id,
            })
            raise
        finally:
            openssl_lock.release()
        self.org.generate_crl()
Exemplo n.º 10
0
    def _revoke(self, reason):
        if self.id == CA_CERT_ID:
            raise TypeError('Cannot revoke ca cert')

        if not os.path.isfile(self.cert_path):
            logger.warning('Skipping revoke of non existent user. %r' % {
                'org_id': self.org.id,
                'user_id': self.id,
            })
            return

        openssl_lock.acquire()
        try:
            self._create_ssl_conf()
            args = ['openssl', 'ca', '-batch',
                '-config', self.ssl_conf_path,
                '-revoke', self.cert_path,
                '-crl_reason', reason
            ]
            proc = subprocess.Popen(args, stdout=subprocess.PIPE,
                stderr=subprocess.PIPE)
            returncode = proc.wait()
            if returncode != 0:
                err_output = proc.communicate()[1]
                if 'ERROR:Already revoked' not in err_output:
                    raise subprocess.CalledProcessError(returncode, args)
            self._delete_ssl_conf()
        except subprocess.CalledProcessError:
            logger.exception('Failed to revoke user cert. %r' % {
                'org_id': self.org.id,
                'user_id': self.id,
            })
            raise
        finally:
            openssl_lock.release()
        self.org.generate_crl()
Exemplo n.º 11
0
 def _cert_request(self):
     openssl_lock.acquire()
     try:
         args = [
             "openssl",
             "req",
             "-new",
             "-batch",
             "-config",
             self.ssl_conf_path,
             "-out",
             self.reqs_path,
             "-keyout",
             self.key_path,
             "-reqexts",
             "%s_req_ext" % self.type,
         ]
         subprocess.check_call(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     except subprocess.CalledProcessError:
         logger.exception("Failed to create user cert requests. %r" % {"org_id": self.org.id, "user_id": self.id})
         raise
     finally:
         openssl_lock.release()
     os.chmod(self.key_path, 0600)