def fromTemplate(self, ca_name, password, template_name = 'default'):
"""
Creates a CA from a template file. Note that this function just creates a new CA from the template data, it
does not allow modification of that data on the fly. Load the new CA's config and modify it if you need
to change it.
:param ca_name: Display name of the CA.
:param password: CA Password.
:param template_name: Template name (NOT the file name!)
"""
from conf.SSL import templates
try:
template_config = templates.getConfig(template_name)
except templates.TemplateDoesNotExist:
raise TemplateError("Template '%s' does not exist!" %template_name)
# Create new CA config
config_path = CA_Config.create(ca_name, template_config)
# Fetch file system name from config
fs_name = CA_Config.getFSName(ca_name)
# Set up CA data on file system
ca_path = CA_Roots.createCAStructure(fs_name)
# Update CA config with path to data
self.config = CA_Config.getConfig(ca_name)
self.config['dir'] = ca_path # dir has to be at top level for all the paths to work
self.config['req']['input_password'] = password
self.config['req']['output_password'] = password
CA_Config.setConfig(ca_name, self.config)
# Copy the CA password to the appropriate location
nixcommon.touch("%s/.CApass" %ca_path, password, 0600)
nixcommon.setFileAttribs(ca_path, self.ca_file_owner, self.ca_group, permissions=0740)
# Create the CA itself
# Not sure if I need the paths now that I have the config set? Need to test this.
os.chdir(ca_path)
# Need to send password via -passin http://www.openssl.org/docs/apps/openssl.html
new_key = self.runOpenSSL('req -new -newkey rsa:2048 -keyout keys/ca.key -out requests/ca.csr -config ' \
'"%s"' %(config_path))
create_ca = self.runOpenSSL('ca -batch -out ca.crt -days 9999 -keyfile keys/ca.key ' \
'-selfsign -extensions v3_ca_has_san -config "%s" ' \
'-passin file:"%s/.CApass" -infiles requests/ca.csr' %(config_path,ca_path))
if new_key['return_value']:
raise CACreationError(new_key['stderr'])
if create_ca['return_value']:
raise CACreationError(create_ca['stderr'])
def setConfig(ca_name, ca_config_data, create_config=False):
"""
Sets an existing CA's config
:param ca_name:
:param ca_config_data:
:return: String pointing to the config file.
"""
dn = ca_config_data['req_distinguished_name']
try:
ca_path_name = r"%s/%s - %s.openssl.cnf" %(PATH,dn['0.organizationName_default'],
dn['organizationalUnitName_default'])
except KeyError:
raise CAConfigError('Invalid configuration dictionary!')
# Make sure the path doesn't exist already
if os.path.exists(ca_path_name) and create_config:
raise CAConfigExistsError(ca_path_name)
elif not os.path.exists(ca_path_name) and not create_config:
raise CAConfigDoesNotExistError(ca_path_name)
# Create the config
if create_config:
ca_config = sslconfigparser.SSLConfigParser(ca_path_name, no_auto_parse=True, create_config_file=True)
# Just set the existing config
else:
ca_config = sslconfigparser.SSLConfigParser(ca_path_name)
ca_config.write(ca_config_data)
# Protect the config (it has the CA password in it)
nixcommon.setFileAttribs(ca_path_name, integration_config['Settings']['caFSOwner'],
integration_config['Settings']['caFSGroup'], 0640)
if create_config:
db = nixsqlite.NixSQLite(DATABASE)
# TODO: Escape queries!
sql_query = 'insert into cas values ("%s","%s");' %(ca_name,ca_path_name)
db.query(sql_query)
return ca_path_name
def createCAStructure(fs_name):
"""
Creates the CA filesystem structure using the provided name (from the config file name).
:param fs_name: The filesystem name of the config (used to create the CA path).
:return: String containing the newly created CA's path.
"""
randgen = random.SystemRandom()
ca_dirs = [('certsdb', 0750), ('requests',0750), ('keys',0700), ('certs',0755), ('crl',0755)]
ca_path = "%s/%s" %(PATH,fs_name.rstrip('openssl.cnf'))
# Create CA's root
if not os.path.exists(ca_path):
os.mkdir(ca_path)
nixcommon.setFileAttribs(ca_path, ca_file_owner, ca_group, permissions=0755)
else:
raise CAExists(ca_path)
# Make the CA directories
for dir_info in ca_dirs:
dir_path = '%s/%s' %(ca_path, dir_info[0])
if not os.path.exists(dir_path):
os.mkdir(dir_path)
nixcommon.setFileAttribs(dir_path, ca_file_owner, ca_group, permissions=dir_info[1])
# Create index and crlnumber files or OpenSSL will pitch a hell of a fit
index_txt = "%s/index.txt" %ca_path
crlnumber = "%s/crlnumber" %ca_path
serial = "%s/serial" %ca_path
rand = "%s/keys/.rand" %ca_path
print index_txt, crlnumber
nixcommon.touch(index_txt)
nixcommon.setFileAttribs(index_txt, ca_file_owner, ca_group, permissions=0744)
nixcommon.touch(crlnumber, '00')
nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
nixcommon.touch(serial, "%x" %randgen.getrandbits(128))
nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
nixcommon.touch(rand)
nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
return ca_path