Пример #1
0
 def __gen_certificate(self, entry):
     """ génère un certificat pour l'entrée fournie
     la demande de certificat doit exister, ainsi que la CA
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     ensure_location(entry.crt_filename)
     subca_infos = self.get_subca_infos(entry)
     conf_path = self.__gen_openssl_conf(entry, ca_infos=subca_infos)
     role = ROLES[entry.role]
     local((
         '"{openssl}" ca -config "{cfg}" -extensions role_req -in "{req}" -out "{crt}" '
         '-notext -days {days} -md {digest} -batch -utf8 ').format(
             openssl=settings.OPENSSL_PATH,
             cfg=conf_path,
             req=entry.req_filename,
             crt=entry.crt_filename,
             days=role['days'],
             digest=role['digest']))
     serial = self.__get_certificate_serial(entry.crt_filename)
     with codecs.open(self.crt_sources_path, 'a', encoding='utf-8') as fd:
         fd.write(
             '%s\t%s\t%s\t%s\n' %
             (serial, os.path.relpath(entry.key_filename, self.dirname),
              os.path.relpath(entry.req_filename, self.dirname),
              os.path.relpath(entry.crt_filename, self.dirname)))
Пример #2
0
 def __gen_ca_key(self, entry):
     """
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     role = ROLES[entry.role]
     ensure_location(self.cakey_path)
     if role['keyType'] == RSA:
         local('"{openssl}" genrsa -out {key} {bits}'.format(
             bits=role['rsaBits'],
             openssl=settings.OPENSSL_PATH,
             key=self.cakey_path))
     else:
         with tempfile.NamedTemporaryFile() as fd:
             param = fd.name
         local('"{openssl}" dsaparam -rand -genkey {bits} -out "{param}"'.
               format(bits=role['dsaBits'],
                      openssl=settings.OPENSSL_PATH,
                      param=param))
         local('"{openssl}" gendsa -out "{key}" "{param}"'.format(
             openssl=settings.OPENSSL_PATH,
             param=param,
             key=self.cakey_path))
         os.remove(param)
     os.chmod(self.cakey_path, 0o600)
Пример #3
0
 def set_password(self, password):
     self.user_password = password_hash(password)
     self.save()
     change_password(self.principal_name, password)
     if settings.STORE_CLEARTEXT_PASSWORDS:
         ensure_location(self.password_filename)
         with codecs.open(self.password_filename, 'w', encoding='utf-8') as fd:
             fd.write(password)
         os.chmod(self.password_filename, 0o400)
Пример #4
0
 def set_password(self, password):
     self.user_password = password_hash(password)
     self.save()
     change_password(self.principal_name, password)
     if settings.STORE_CLEARTEXT_PASSWORDS:
         ensure_location(self.password_filename)
         with codecs.open(self.password_filename, 'w', encoding='utf-8') as fd:
             fd.write(password)
         os.chmod(self.password_filename, 0o400)
Пример #5
0
 def __gen_ssh(entry):
     """ génère la clef publique SSH pour l'entrée fournie
     la clef privée doit exister
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     result = local('"{ssh_keygen}" -y -f "{inkey}" '.format(
         inkey=entry.key_filename, ssh_keygen=settings.SSH_KEYGEN_PATH))
     ensure_location(entry.ssh_filename)
     with open(entry.ssh_filename, 'wb') as ssh_fd:
         ssh_fd.write(result)
Пример #6
0
 def __gen_ca_req(self, entry):
     """
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     role = ROLES[entry.role]
     ensure_location(entry.req_filename)
     conf_path = self.__gen_openssl_conf(entry)
     local(('"{openssl}" req  -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
            '-extensions role_req').format(openssl=settings.OPENSSL_PATH, inkey=self.cakey_path,
                                           digest=role['digest'], config=conf_path, out=entry.req_filename))
Пример #7
0
 def __gen_ssh(entry):
     """ génère la clef publique SSH pour l'entrée fournie
     la clef privée doit exister
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     result = local('"{ssh_keygen}" -y -f "{inkey}" '.format(inkey=entry.key_filename,
                                                             ssh_keygen=settings.SSH_KEYGEN_PATH))
     ensure_location(entry.ssh_filename)
     with open(entry.ssh_filename, 'wb') as ssh_fd:
         ssh_fd.write(result)
Пример #8
0
 def __gen_ca_crt(self, entry):
     """
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     conf_path = self.__gen_openssl_conf(entry)
     role = ROLES[entry.role]
     ensure_location(self.cacrt_path)
     local(('"{openssl}" ca -config "{cfg}" -selfsign -extensions role_req -in "{req}" -out "{crt}" '
            '-notext -days {days} -md {digest} -batch -utf8 ').format(openssl=settings.OPENSSL_PATH, cfg=conf_path,
                                                                      req=entry.req_filename, crt=self.cacrt_path,
                                                                      days=role['days'], digest=role['digest']))
Пример #9
0
 def __gen_request(self, entry):
     """ génère une demande de certificat pour l'entrée fournie
     la clef privée doit exister
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     conf_path = self.__gen_openssl_conf(entry)
     role = ROLES[entry.role]
     ensure_location(entry.req_filename)
     local(('"{openssl}" req  -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
            '-extensions role_req').format(openssl=settings.OPENSSL_PATH, inkey=entry.key_filename,
                                           digest=role['digest'], config=conf_path, out=entry.req_filename))
Пример #10
0
 def initialize(self):
     with Lock(settings.PENATES_LOCKFILE):
         serial = os.path.join(self.dirname, 'serial.txt')
         index = os.path.join(self.dirname, 'index.txt')
         ensure_location(serial)
         if not os.path.isfile(serial):
             with codecs.open(serial, 'w', encoding='utf-8') as fd:
                 fd.write("01\n")
         if not os.path.isfile(index):
             with codecs.open(index, 'w', encoding='utf-8') as fd:
                 fd.write("")
         ensure_location(os.path.join(self.dirname, 'new_certs', '0'))
Пример #11
0
 def initialize(self):
     with Lock(settings.PENATES_LOCKFILE):
         serial = os.path.join(self.dirname, 'serial.txt')
         index = os.path.join(self.dirname, 'index.txt')
         ensure_location(serial)
         if not os.path.isfile(serial):
             with codecs.open(serial, 'w', encoding='utf-8') as fd:
                 fd.write("01\n")
         if not os.path.isfile(index):
             with codecs.open(index, 'w', encoding='utf-8') as fd:
                 fd.write("")
         ensure_location(os.path.join(self.dirname, 'new_certs', '0'))
Пример #12
0
 def __gen_ca_req(self, entry):
     """
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     role = ROLES[entry.role]
     ensure_location(entry.req_filename)
     conf_path = self.__gen_openssl_conf(entry)
     local((
         '"{openssl}" req  -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
         '-extensions role_req').format(openssl=settings.OPENSSL_PATH,
                                        inkey=self.cakey_path,
                                        digest=role['digest'],
                                        config=conf_path,
                                        out=entry.req_filename))
Пример #13
0
 def __gen_pub(entry):
     """ génère la clef publique pour l'entrée fournie
     la clef privée doit exister
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     role = ROLES[entry.role]
     ensure_location(entry.pub_filename)
     if role['keyType'] == RSA:
         local('"{openssl}" rsa -in "{key}" -out "{pub}" -pubout'.format(openssl=settings.OPENSSL_PATH,
                                                                         key=entry.key_filename,
                                                                         pub=entry.pub_filename))
     else:
         local('"{openssl}" dsa -in "{key}" -out "{pub}" -pubout'.format(openssl=settings.OPENSSL_PATH,
                                                                         key=entry.key_filename,
                                                                         pub=entry.pub_filename))
Пример #14
0
 def __gen_request(self, entry):
     """ génère une demande de certificat pour l'entrée fournie
     la clef privée doit exister
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     conf_path = self.__gen_openssl_conf(entry)
     role = ROLES[entry.role]
     ensure_location(entry.req_filename)
     local((
         '"{openssl}" req  -out "{out}" -batch -utf8 -new -key "{inkey}" -{digest} -config "{config}" '
         '-extensions role_req').format(openssl=settings.OPENSSL_PATH,
                                        inkey=entry.key_filename,
                                        digest=role['digest'],
                                        config=conf_path,
                                        out=entry.req_filename))
Пример #15
0
 def __gen_ca_crt(self, entry):
     """
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     conf_path = self.__gen_openssl_conf(entry)
     role = ROLES[entry.role]
     ensure_location(self.cacrt_path)
     local((
         '"{openssl}" ca -config "{cfg}" -selfsign -extensions role_req -in "{req}" -out "{crt}" '
         '-notext -days {days} -md {digest} -batch -utf8 ').format(
             openssl=settings.OPENSSL_PATH,
             cfg=conf_path,
             req=entry.req_filename,
             crt=self.cacrt_path,
             days=role['days'],
             digest=role['digest']))
Пример #16
0
 def __gen_pub(entry):
     """ génère la clef publique pour l'entrée fournie
     la clef privée doit exister
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     role = ROLES[entry.role]
     ensure_location(entry.pub_filename)
     if role['keyType'] == RSA:
         local('"{openssl}" rsa -in "{key}" -out "{pub}" -pubout'.format(
             openssl=settings.OPENSSL_PATH,
             key=entry.key_filename,
             pub=entry.pub_filename))
     else:
         local('"{openssl}" dsa -in "{key}" -out "{pub}" -pubout'.format(
             openssl=settings.OPENSSL_PATH,
             key=entry.key_filename,
             pub=entry.pub_filename))
Пример #17
0
 def __gen_certificate(self, entry):
     """ génère un certificat pour l'entrée fournie
     la demande de certificat doit exister, ainsi que la CA
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     ensure_location(entry.crt_filename)
     subca_infos = self.get_subca_infos(entry)
     conf_path = self.__gen_openssl_conf(entry, ca_infos=subca_infos)
     role = ROLES[entry.role]
     local(('"{openssl}" ca -config "{cfg}" -extensions role_req -in "{req}" -out "{crt}" '
            '-notext -days {days} -md {digest} -batch -utf8 ').format(openssl=settings.OPENSSL_PATH, cfg=conf_path,
                                                                      req=entry.req_filename, crt=entry.crt_filename,
                                                                      days=role['days'], digest=role['digest']))
     serial = self.__get_certificate_serial(entry.crt_filename)
     with codecs.open(self.crt_sources_path, 'a', encoding='utf-8') as fd:
         fd.write('%s\t%s\t%s\t%s\n' % (serial, os.path.relpath(entry.key_filename, self.dirname),
                                        os.path.relpath(entry.req_filename, self.dirname),
                                        os.path.relpath(entry.crt_filename, self.dirname)))
Пример #18
0
 def __gen_ca_key(self, entry):
     """
     :param entry:
     :type entry: :class:`penatesserver.pki.service.CertificateEntry`
     """
     role = ROLES[entry.role]
     ensure_location(self.cakey_path)
     if role['keyType'] == RSA:
         local('"{openssl}" genrsa -out {key} {bits}'.format(bits=role['rsaBits'], openssl=settings.OPENSSL_PATH,
                                                             key=self.cakey_path))
     else:
         with tempfile.NamedTemporaryFile() as fd:
             param = fd.name
         local('"{openssl}" dsaparam -rand -genkey {bits} -out "{param}"'.format(bits=role['dsaBits'],
                                                                                 openssl=settings.OPENSSL_PATH,
                                                                                 param=param))
         local('"{openssl}" gendsa -out "{key}" "{param}"'.format(openssl=settings.OPENSSL_PATH, param=param,
                                                                  key=self.cakey_path))
         os.remove(param)
     os.chmod(self.cakey_path, 0o600)