def __gen_certificate(self, entry):
""" génère un certificat pour l'entrée fournie
la demande de certificat doit exister, ainsi que la CA
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
ensure_location(entry.crt_filename)
subca_infos = self.get_subca_infos(entry)
conf_path = self.__gen_openssl_conf(entry, ca_infos=subca_infos)
role = ROLES[entry.role]
local((
'"{openssl}" ca -config "{cfg}" -extensions role_req -in "{req}" -out "{crt}" '
'-notext -days {days} -md {digest} -batch -utf8 ').format(
openssl=settings.OPENSSL_PATH,
cfg=conf_path,
req=entry.req_filename,
crt=entry.crt_filename,
days=role['days'],
digest=role['digest']))
serial = self.__get_certificate_serial(entry.crt_filename)
with codecs.open(self.crt_sources_path, 'a', encoding='utf-8') as fd:
fd.write(
'%s\t%s\t%s\t%s\n' %
(serial, os.path.relpath(entry.key_filename, self.dirname),
os.path.relpath(entry.req_filename, self.dirname),
os.path.relpath(entry.crt_filename, self.dirname)))
def __gen_ca_key(self, entry):
"""
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
role = ROLES[entry.role]
ensure_location(self.cakey_path)
if role['keyType'] == RSA:
local('"{openssl}" genrsa -out {key} {bits}'.format(
bits=role['rsaBits'],
openssl=settings.OPENSSL_PATH,
key=self.cakey_path))
else:
with tempfile.NamedTemporaryFile() as fd:
param = fd.name
local('"{openssl}" dsaparam -rand -genkey {bits} -out "{param}"'.
format(bits=role['dsaBits'],
openssl=settings.OPENSSL_PATH,
param=param))
local('"{openssl}" gendsa -out "{key}" "{param}"'.format(
openssl=settings.OPENSSL_PATH,
param=param,
key=self.cakey_path))
os.remove(param)
os.chmod(self.cakey_path, 0o600)
def set_password(self, password):
self.user_password = password_hash(password)
self.save()
change_password(self.principal_name, password)
if settings.STORE_CLEARTEXT_PASSWORDS:
ensure_location(self.password_filename)
with codecs.open(self.password_filename, 'w', encoding='utf-8') as fd:
fd.write(password)
os.chmod(self.password_filename, 0o400)
def set_password(self, password):
self.user_password = password_hash(password)
self.save()
change_password(self.principal_name, password)
if settings.STORE_CLEARTEXT_PASSWORDS:
ensure_location(self.password_filename)
with codecs.open(self.password_filename, 'w', encoding='utf-8') as fd:
fd.write(password)
os.chmod(self.password_filename, 0o400)
def __gen_ssh(entry):
""" génère la clef publique SSH pour l'entrée fournie
la clef privée doit exister
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
result = local('"{ssh_keygen}" -y -f "{inkey}" '.format(
inkey=entry.key_filename, ssh_keygen=settings.SSH_KEYGEN_PATH))
ensure_location(entry.ssh_filename)
with open(entry.ssh_filename, 'wb') as ssh_fd:
ssh_fd.write(result)
def __gen_ca_req(self, entry):
"""
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
role = ROLES[entry.role]
ensure_location(entry.req_filename)
conf_path = self.__gen_openssl_conf(entry)
local(('"{openssl}" req -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
'-extensions role_req').format(openssl=settings.OPENSSL_PATH, inkey=self.cakey_path,
digest=role['digest'], config=conf_path, out=entry.req_filename))
def __gen_ssh(entry):
""" génère la clef publique SSH pour l'entrée fournie
la clef privée doit exister
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
result = local('"{ssh_keygen}" -y -f "{inkey}" '.format(inkey=entry.key_filename,
ssh_keygen=settings.SSH_KEYGEN_PATH))
ensure_location(entry.ssh_filename)
with open(entry.ssh_filename, 'wb') as ssh_fd:
ssh_fd.write(result)
def __gen_ca_crt(self, entry):
"""
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
conf_path = self.__gen_openssl_conf(entry)
role = ROLES[entry.role]
ensure_location(self.cacrt_path)
local(('"{openssl}" ca -config "{cfg}" -selfsign -extensions role_req -in "{req}" -out "{crt}" '
'-notext -days {days} -md {digest} -batch -utf8 ').format(openssl=settings.OPENSSL_PATH, cfg=conf_path,
req=entry.req_filename, crt=self.cacrt_path,
days=role['days'], digest=role['digest']))
def __gen_request(self, entry):
""" génère une demande de certificat pour l'entrée fournie
la clef privée doit exister
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
conf_path = self.__gen_openssl_conf(entry)
role = ROLES[entry.role]
ensure_location(entry.req_filename)
local(('"{openssl}" req -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
'-extensions role_req').format(openssl=settings.OPENSSL_PATH, inkey=entry.key_filename,
digest=role['digest'], config=conf_path, out=entry.req_filename))
def initialize(self):
with Lock(settings.PENATES_LOCKFILE):
serial = os.path.join(self.dirname, 'serial.txt')
index = os.path.join(self.dirname, 'index.txt')
ensure_location(serial)
if not os.path.isfile(serial):
with codecs.open(serial, 'w', encoding='utf-8') as fd:
fd.write("01\n")
if not os.path.isfile(index):
with codecs.open(index, 'w', encoding='utf-8') as fd:
fd.write("")
ensure_location(os.path.join(self.dirname, 'new_certs', '0'))
def initialize(self):
with Lock(settings.PENATES_LOCKFILE):
serial = os.path.join(self.dirname, 'serial.txt')
index = os.path.join(self.dirname, 'index.txt')
ensure_location(serial)
if not os.path.isfile(serial):
with codecs.open(serial, 'w', encoding='utf-8') as fd:
fd.write("01\n")
if not os.path.isfile(index):
with codecs.open(index, 'w', encoding='utf-8') as fd:
fd.write("")
ensure_location(os.path.join(self.dirname, 'new_certs', '0'))
def __gen_ca_req(self, entry):
"""
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
role = ROLES[entry.role]
ensure_location(entry.req_filename)
conf_path = self.__gen_openssl_conf(entry)
local((
'"{openssl}" req -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
'-extensions role_req').format(openssl=settings.OPENSSL_PATH,
inkey=self.cakey_path,
digest=role['digest'],
config=conf_path,
out=entry.req_filename))
def __gen_pub(entry):
""" génère la clef publique pour l'entrée fournie
la clef privée doit exister
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
role = ROLES[entry.role]
ensure_location(entry.pub_filename)
if role['keyType'] == RSA:
local('"{openssl}" rsa -in "{key}" -out "{pub}" -pubout'.format(openssl=settings.OPENSSL_PATH,
key=entry.key_filename,
pub=entry.pub_filename))
else:
local('"{openssl}" dsa -in "{key}" -out "{pub}" -pubout'.format(openssl=settings.OPENSSL_PATH,
key=entry.key_filename,
pub=entry.pub_filename))
def __gen_request(self, entry):
""" génère une demande de certificat pour l'entrée fournie
la clef privée doit exister
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
conf_path = self.__gen_openssl_conf(entry)
role = ROLES[entry.role]
ensure_location(entry.req_filename)
local((
'"{openssl}" req -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
'-extensions role_req').format(openssl=settings.OPENSSL_PATH,
inkey=entry.key_filename,
digest=role['digest'],
config=conf_path,
out=entry.req_filename))
def __gen_ca_crt(self, entry):
"""
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
conf_path = self.__gen_openssl_conf(entry)
role = ROLES[entry.role]
ensure_location(self.cacrt_path)
local((
'"{openssl}" ca -config "{cfg}" -selfsign -extensions role_req -in "{req}" -out "{crt}" '
'-notext -days {days} -md {digest} -batch -utf8 ').format(
openssl=settings.OPENSSL_PATH,
cfg=conf_path,
req=entry.req_filename,
crt=self.cacrt_path,
days=role['days'],
digest=role['digest']))
def __gen_pub(entry):
""" génère la clef publique pour l'entrée fournie
la clef privée doit exister
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
role = ROLES[entry.role]
ensure_location(entry.pub_filename)
if role['keyType'] == RSA:
local('"{openssl}" rsa -in "{key}" -out "{pub}" -pubout'.format(
openssl=settings.OPENSSL_PATH,
key=entry.key_filename,
pub=entry.pub_filename))
else:
local('"{openssl}" dsa -in "{key}" -out "{pub}" -pubout'.format(
openssl=settings.OPENSSL_PATH,
key=entry.key_filename,
pub=entry.pub_filename))
def __gen_certificate(self, entry):
""" génère un certificat pour l'entrée fournie
la demande de certificat doit exister, ainsi que la CA
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
ensure_location(entry.crt_filename)
subca_infos = self.get_subca_infos(entry)
conf_path = self.__gen_openssl_conf(entry, ca_infos=subca_infos)
role = ROLES[entry.role]
local(('"{openssl}" ca -config "{cfg}" -extensions role_req -in "{req}" -out "{crt}" '
'-notext -days {days} -md {digest} -batch -utf8 ').format(openssl=settings.OPENSSL_PATH, cfg=conf_path,
req=entry.req_filename, crt=entry.crt_filename,
days=role['days'], digest=role['digest']))
serial = self.__get_certificate_serial(entry.crt_filename)
with codecs.open(self.crt_sources_path, 'a', encoding='utf-8') as fd:
fd.write('%s\t%s\t%s\t%s\n' % (serial, os.path.relpath(entry.key_filename, self.dirname),
os.path.relpath(entry.req_filename, self.dirname),
os.path.relpath(entry.crt_filename, self.dirname)))
def __gen_ca_key(self, entry):
"""
:param entry:
:type entry: :class:`penatesserver.pki.service.CertificateEntry`
"""
role = ROLES[entry.role]
ensure_location(self.cakey_path)
if role['keyType'] == RSA:
local('"{openssl}" genrsa -out {key} {bits}'.format(bits=role['rsaBits'], openssl=settings.OPENSSL_PATH,
key=self.cakey_path))
else:
with tempfile.NamedTemporaryFile() as fd:
param = fd.name
local('"{openssl}" dsaparam -rand -genkey {bits} -out "{param}"'.format(bits=role['dsaBits'],
openssl=settings.OPENSSL_PATH,
param=param))
local('"{openssl}" gendsa -out "{key}" "{param}"'.format(openssl=settings.OPENSSL_PATH, param=param,
key=self.cakey_path))
os.remove(param)
os.chmod(self.cakey_path, 0o600)