def fromTemplate(self, ca_name, password, template_name = 'default'):
"""
Creates a CA from a template file. Note that this function just creates a new CA from the template data, it
does not allow modification of that data on the fly. Load the new CA's config and modify it if you need
to change it.
:param ca_name: Display name of the CA.
:param password: CA Password.
:param template_name: Template name (NOT the file name!)
"""
from conf.SSL import templates
try:
template_config = templates.getConfig(template_name)
except templates.TemplateDoesNotExist:
raise TemplateError("Template '%s' does not exist!" %template_name)
# Create new CA config
config_path = CA_Config.create(ca_name, template_config)
# Fetch file system name from config
fs_name = CA_Config.getFSName(ca_name)
# Set up CA data on file system
ca_path = CA_Roots.createCAStructure(fs_name)
# Update CA config with path to data
self.config = CA_Config.getConfig(ca_name)
self.config['dir'] = ca_path # dir has to be at top level for all the paths to work
self.config['req']['input_password'] = password
self.config['req']['output_password'] = password
CA_Config.setConfig(ca_name, self.config)
# Copy the CA password to the appropriate location
nixcommon.touch("%s/.CApass" %ca_path, password, 0600)
nixcommon.setFileAttribs(ca_path, self.ca_file_owner, self.ca_group, permissions=0740)
# Create the CA itself
# Not sure if I need the paths now that I have the config set? Need to test this.
os.chdir(ca_path)
# Need to send password via -passin http://www.openssl.org/docs/apps/openssl.html
new_key = self.runOpenSSL('req -new -newkey rsa:2048 -keyout keys/ca.key -out requests/ca.csr -config ' \
'"%s"' %(config_path))
create_ca = self.runOpenSSL('ca -batch -out ca.crt -days 9999 -keyfile keys/ca.key ' \
'-selfsign -extensions v3_ca_has_san -config "%s" ' \
'-passin file:"%s/.CApass" -infiles requests/ca.csr' %(config_path,ca_path))
if new_key['return_value']:
raise CACreationError(new_key['stderr'])
if create_ca['return_value']:
raise CACreationError(create_ca['stderr'])
def run(self):
"""
naSetup hook.
"""
randgen = random.SystemRandom()
# Create the initial nixAuth CA with a randomly generated password
self.ca.fromTemplate('nixAuth Default', "%x" %randgen.getrandbits(256) )
# TODO: Fix these once the SSL libraries are completed
# Create SSL key and CSR
from lib.ssl import openssl
from conf.SSL import CA_Config
from data.SSL import CA_Roots
config_file = CA_Config.getPath('nixAuth Default')
ssl = openssl.OpenSSL()
ca_root = CA_Roots.getCARoot(CA_Config.getFSName('nixAuth Default'))
key_name = "%s.%s" %(self.na_setup_config['hostName'],self.na_setup_config['dnsDomain'])
key_loc = "%s/keys/%s.key" %(ca_root,key_name)
key_cmd = "genrsa -config \"%s\" -out \"%s\" 2048 " %(config_file,key_loc)
key_info = ssl.runOpenSSL(key_cmd)
if key_info['return_value']:
raise SSLSetupError('Error creating SSL key: %s' %key_info['stderr'])
csr_loc = "%s/keys/%s.%s.csr" %(ca_root,self.na_setup_config['hostName'],self.na_setup_config['dnsDomain'])
csr_cmd = "req -config \"%s\" -new -batch -key \"%s\" -out \"%s\"" %(config_file,key_loc,csr_loc)
csr_info = ssl.runOpenSSL(csr_cmd)
if csr_info['return_value']:
raise SSLSetupError('Error creating SSL CSR: %s' %csr_info['stderr'])
# Sign the CSR using the CA
try:
self.ca.signCSR('nixAuthDefault', key_name)
except:
raise
return self.my_na_setup_config_fragment