Пример #1
0
def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir, gtdir, log):
    brokerconfig = get_brokerconfig_path(gtdir)

    pathutil.ensure_file_exists(cacert, "CA certificate")
    pathutil.ensure_file_exists(cakey, "CA private key")
    pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config")
    pathutil.ensure_file_exists(keystore, "Java keystore")

    # is some BS
    restbroker_xml = pathutil.pathjoin(gtdir, 
            'etc/nimbus-context-broker/other/main.xml')
    pathutil.ensure_file_exists(restbroker_xml, 
            "Context Broker REST interface config")

    args = [brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory',
            'caCertPath', cacert, 'caKeyPath', cakey]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, 
            EXE_SERVICE_RESOURCE, args=args)
    runutil.generic_bailout("Problem adjusting broker config", 
            exitcode, stdout, stderr)
    
    args = [brokerconfig, 'NimbusContextBroker', 'rest',
            'keystoreLocation', keystore, 'keystorePassword', keystore_pass,
            'springConfig', restbroker_xml]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, 
            EXE_SERVICE_RESOURCE, args=args)
    runutil.generic_bailout("Problem adjusting broker config", 
            exitcode, stdout, stderr)
    log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
Пример #2
0
def adjust_host_cert(cert, key, basedir, gtdir, log):

    pathutil.ensure_file_exists(cert, "host certificate")
    pathutil.ensure_file_exists(key, "host private key")

    secdesc = get_secdesc_path(gtdir)
    pathutil.ensure_file_exists(secdesc, "container security settings")

    args = [cert, secdesc]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_NEW_HOSTCERTFILE,
                                              args=args)
    runutil.generic_bailout("Problem activating host certificate", exitcode,
                            stdout, stderr)
    log.debug("Activated host certificate file in GT container: %s" % cert)

    args = [key, secdesc]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_NEW_HOSTKEYFILE,
                                              args=args)
    runutil.generic_bailout("Problem activating host key", exitcode, stdout,
                            stderr)
    log.debug("Activated host key file in GT container: %s" % cert)
Пример #3
0
def ensureKeystore(certpath, keypath, storepath, password, basedir, log):
    """
    Creates or validates a Java keystore from PEM-encoded certificate and key
    """

    if not pathutil.check_path_exists(certpath):
        msg = "Certificate file does not exist: " + certpath
        raise IncompatibleEnvironment(msg)

    if not pathutil.check_path_exists(keypath):
        msg = "Private key file does not exist: " + keypath
        raise IncompatibleEnvironment(msg)

    if pathutil.check_path_exists(storepath):
        log.debug("Keystore file exists: %s." % storepath,
                  "Ensuring that it contains right cert/key")

    args = [certpath, keypath, storepath, password]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_KEYSTORE_FROM_PEM,
                                              args=args)
    if exitcode == 2:
        raise KeystoreMismatchError(stderr)
    runutil.generic_bailout("Problem creating keystore", exitcode, stdout,
                            stderr)
Пример #4
0
def findCAkey(basedir, cadir, log):
    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    args = [cacertdir]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_FIND_CA_PRIVPEM, args=args)
    runutil.generic_bailout("Problem finding CA key.", exitcode, stdout, stderr)
    if not stdout:
        raise UnexpectedError("Path is not present for CA key")
    keypath = stdout.strip()
    pathutil.ensure_file_exists(keypath, "CA key")
    return keypath
Пример #5
0
def getCertDN(certpath, basedir, log):

    if not pathutil.check_path_exists(certpath):
        msg = "Certificate file does not exist: " + certpath
        raise IncompatibleEnvironment(msg)
    
    args = [certpath]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, 
            EXE_GET_CERT_DN, args=args)
    runutil.generic_bailout("Problem finding cert DN", 
            exitcode, stdout, stderr)

    return stdout.strip()
Пример #6
0
def findCAkey(basedir, cadir, log):
    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    args = [cacertdir]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_FIND_CA_PRIVPEM,
                                              args=args)
    runutil.generic_bailout("Problem finding CA key.", exitcode, stdout,
                            stderr)
    if not stdout:
        raise UnexpectedError("Path is not present for CA key")
    keypath = stdout.strip()
    pathutil.ensure_file_exists(keypath, "CA key")
    return keypath
Пример #7
0
def getCertDN(certpath, basedir, log):

    if not pathutil.check_path_exists(certpath):
        msg = "Certificate file does not exist: " + certpath
        raise IncompatibleEnvironment(msg)

    args = [certpath]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_GET_CERT_DN,
                                              args=args)
    runutil.generic_bailout("Problem finding cert DN", exitcode, stdout,
                            stderr)

    return stdout.strip()
Пример #8
0
def adjust_secdesc_path(basedir, gtdir, log):

    secdesc = get_secdesc_path(gtdir)
    pathutil.ensure_file_exists(secdesc, "container security settings")

    serverconfig = get_serverconfig_path(gtdir)
    pathutil.ensure_file_exists(serverconfig, "GT server config")

    args = [secdesc, serverconfig]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GLOBUS_SECDESC, 
            args=args)
    runutil.generic_bailout("Problem activating new security settings in GT container", 
            exitcode, stdout, stderr)

    log.debug("Activated new security settings file in GT container: %s" %
            secdesc)
Пример #9
0
def adjust_gridmap_file(gridmap, basedir, gtdir, log):
    if not pathutil.is_absolute_path(gridmap):
        raise IncompatibleEnvironment("gridmap path must be absolute")

    pathutil.ensure_file_exists(gridmap, "gridmap")

    secdesc = get_secdesc_path(gtdir)
    pathutil.ensure_file_exists(secdesc, "container security settings")

    args = [gridmap, secdesc]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_NEW_GRIDMAPFILE,
            args=args)
    runutil.generic_bailout("Problem setting new gridmap file location", 
            exitcode, stdout, stderr)

    log.debug("Adjusted GT container gridmap file to %s" % gridmap)
Пример #10
0
def adjust_gridmap_file(gridmap, basedir, gtdir, log):
    if not pathutil.is_absolute_path(gridmap):
        raise IncompatibleEnvironment("gridmap path must be absolute")

    pathutil.ensure_file_exists(gridmap, "gridmap")

    secdesc = get_secdesc_path(gtdir)
    pathutil.ensure_file_exists(secdesc, "container security settings")

    args = [gridmap, secdesc]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_NEW_GRIDMAPFILE,
                                              args=args)
    runutil.generic_bailout("Problem setting new gridmap file location",
                            exitcode, stdout, stderr)

    log.debug("Adjusted GT container gridmap file to %s" % gridmap)
Пример #11
0
def adjust_secdesc_path(basedir, gtdir, log):

    secdesc = get_secdesc_path(gtdir)
    pathutil.ensure_file_exists(secdesc, "container security settings")

    serverconfig = get_serverconfig_path(gtdir)
    pathutil.ensure_file_exists(serverconfig, "GT server config")

    args = [secdesc, serverconfig]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_GLOBUS_SECDESC,
                                              args=args)
    runutil.generic_bailout(
        "Problem activating new security settings in GT container", exitcode,
        stdout, stderr)

    log.debug("Activated new security settings file in GT container: %s" %
              secdesc)
Пример #12
0
def adjust_hostname(hostname, basedir, gtdir, log):
    serverconfig = get_serverconfig_path(gtdir)
    pathutil.ensure_file_exists(serverconfig, "GT server config")

    args = [hostname, serverconfig]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_LOGICAL_HOST, 
            args=args)
    runutil.generic_bailout("Problem adjusting logical host in GT container", 
            exitcode, stdout, stderr)

    log.debug("Adjusted GT container logical host to %s" % hostname)

    args = ['true', serverconfig]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_PUBLISH_HOST, 
            args=args)
    runutil.generic_bailout("Problem setting GT container to publish hostname", 
            exitcode, stdout, stderr)

    log.debug("Adjusted GT container to publish hostname in URLs")
Пример #13
0
def adjust_host_cert(cert, key, basedir, gtdir, log):

    pathutil.ensure_file_exists(cert, "host certificate")
    pathutil.ensure_file_exists(key, "host private key")

    secdesc = get_secdesc_path(gtdir)
    pathutil.ensure_file_exists(secdesc, "container security settings")

    args = [cert, secdesc]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_NEW_HOSTCERTFILE, 
            args=args)
    runutil.generic_bailout("Problem activating host certificate", 
            exitcode, stdout, stderr)
    log.debug("Activated host certificate file in GT container: %s" % cert)

    args = [key, secdesc]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_NEW_HOSTKEYFILE, 
            args=args)
    runutil.generic_bailout("Problem activating host key", 
            exitcode, stdout, stderr)
    log.debug("Activated host key file in GT container: %s" % cert)
Пример #14
0
def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir,
                         gtdir, log):
    brokerconfig = get_brokerconfig_path(gtdir)

    pathutil.ensure_file_exists(cacert, "CA certificate")
    pathutil.ensure_file_exists(cakey, "CA private key")
    pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config")
    pathutil.ensure_file_exists(keystore, "Java keystore")

    # is some BS
    restbroker_xml = pathutil.pathjoin(
        gtdir, 'etc/nimbus-context-broker/other/main.xml')
    pathutil.ensure_file_exists(restbroker_xml,
                                "Context Broker REST interface config")

    args = [
        brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory',
        'caCertPath', cacert, 'caKeyPath', cakey
    ]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_SERVICE_RESOURCE,
                                              args=args)
    runutil.generic_bailout("Problem adjusting broker config", exitcode,
                            stdout, stderr)

    args = [
        brokerconfig, 'NimbusContextBroker', 'rest', 'keystoreLocation',
        keystore, 'keystorePassword', keystore_pass, 'springConfig',
        restbroker_xml
    ]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_SERVICE_RESOURCE,
                                              args=args)
    runutil.generic_bailout("Problem adjusting broker config", exitcode,
                            stdout, stderr)
    log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
Пример #15
0
def adjust_hostname(hostname, basedir, gtdir, log):
    serverconfig = get_serverconfig_path(gtdir)
    pathutil.ensure_file_exists(serverconfig, "GT server config")

    args = [hostname, serverconfig]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_LOGICAL_HOST,
                                              args=args)
    runutil.generic_bailout("Problem adjusting logical host in GT container",
                            exitcode, stdout, stderr)

    log.debug("Adjusted GT container logical host to %s" % hostname)

    args = ['true', serverconfig]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_PUBLISH_HOST,
                                              args=args)
    runutil.generic_bailout("Problem setting GT container to publish hostname",
                            exitcode, stdout, stderr)

    log.debug("Adjusted GT container to publish hostname in URLs")
Пример #16
0
def ensureKeystore(certpath, keypath, storepath, password, basedir, log):
    """
    Creates or validates a Java keystore from PEM-encoded certificate and key
    """

    if not pathutil.check_path_exists(certpath):
        msg = "Certificate file does not exist: " + certpath
        raise IncompatibleEnvironment(msg)
    
    if not pathutil.check_path_exists(keypath):
        msg = "Private key file does not exist: " + keypath
        raise IncompatibleEnvironment(msg)

    if pathutil.check_path_exists(storepath):
        log.debug("Keystore file exists: %s." % storepath, 
                "Ensuring that it contains right cert/key")

    args = [certpath, keypath, storepath, password]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, 
            EXE_KEYSTORE_FROM_PEM, args=args)
    if exitcode == 2:
        raise KeystoreMismatchError(stderr)
    runutil.generic_bailout("Problem creating keystore", 
            exitcode, stdout, stderr)
Пример #17
0
def createCert(CN,
               basedir,
               cadir,
               certtarget,
               keytarget,
               log,
               allow_overwrite=False):

    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)

    cacert_path = findCAcert(basedir, cadir, log)
    cakey_path = findCAkey(basedir, cadir, log)

    # Create temp directory.
    uuid = pathutil.uuidgen()
    tempdir = pathutil.pathjoin(cadir, uuid)
    os.mkdir(tempdir)
    pathutil.ensure_dir_exists(tempdir, "temp certs directory")
    log.debug("Created %s" % tempdir)

    args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_CREATE_NEW_CERT,
                                              args=args)
    runutil.generic_bailout("Problem creating certificate.", exitcode, stdout,
                            stderr)

    pub_DN = stdout.strip()

    temp_pub_path = pathutil.pathjoin(tempdir, "pub")
    pathutil.ensure_file_exists(temp_pub_path, "temp cert")
    log.debug("temp cert exists: " + temp_pub_path)

    # copy that to user-cert records
    args = [temp_pub_path]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_GET_HASHED_CERT_NAME,
                                              args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
                            stdout, stderr)
    usercertfilehash = stdout.strip()
    log.debug("user cert file hash is '%s'" % usercertfilehash)
    cert_records_path = pathutil.pathjoin(cadir, "user-certs")
    cert_records_path = pathutil.pathjoin(cert_records_path,
                                          usercertfilehash + ".0")
    shutil.copyfile(temp_pub_path, cert_records_path)
    pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
    log.debug("cert exists at target: " + cert_records_path)

    temp_priv_path = pathutil.pathjoin(tempdir, "priv")
    pathutil.ensure_file_exists(temp_priv_path, "temp key")
    log.debug("temp key exists: " + temp_priv_path)

    log.debug("Created certificate: %s" % pub_DN)

    # Those user-supplied targets still don't exist, right? :-)
    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)

    shutil.copyfile(temp_pub_path, certtarget)
    pathutil.ensure_file_exists(certtarget, "new certificate")
    log.debug("cert exists at target: " + certtarget)

    shutil.copyfile(temp_priv_path, keytarget)
    pathutil.ensure_file_exists(keytarget, "new key")
    log.debug("key exists at target: " + keytarget)

    pathutil.make_path_rw_private(keytarget)
    pathutil.ensure_path_private(keytarget, "new key")
    log.debug("file made private: %s" % keytarget)

    shutil.rmtree(tempdir)

    return pub_DN
Пример #18
0
def _createCA(ca_name, basedir, cadir, log):
    
    javautil.check(basedir, log)
    
    # mkdir $cadir
    # mkdir $cadir/ca-certs
    # mkdir $cadir/trusted-certs
    # mkdir $cadir/user-certs
    
    os.mkdir(cadir)
    pathutil.ensure_dir_exists(cadir, "New CA directory")
    log.debug("Created %s" % cadir)
    
    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    os.mkdir(cacertdir)
    pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
    log.debug("Created %s" % cacertdir)
    
    trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
    os.mkdir(trustedcertdir)
    pathutil.ensure_dir_exists(trustedcertdir, "New CA trusted certs directory")
    log.debug("Created %s" % trustedcertdir)
    
    usercertdir = pathutil.pathjoin(cadir, "user-certs")
    os.mkdir(usercertdir)
    pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
    log.debug("Created %s" % usercertdir)
    
    # Create the cert via autocommon
    
    args = [cacertdir, ca_name]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CA, args=args)
    runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)
    
    
    # Make the private key owner-readable only
    
    privkeyname = "private-key-" + ca_name + ".pem"
    cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
    pathutil.ensure_file_exists(cakeyfile, "New CA key")
    log.debug("file exists: %s" % cakeyfile)
    pathutil.make_path_rw_private(cakeyfile)
    pathutil.ensure_path_private(cakeyfile, "New CA key")
    log.debug("file made private: %s" % cakeyfile)
    
    
    # Copy the new certificate file to the "hash.0" version that some toolings
    # will expect.
    
    cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
    pathutil.ensure_file_exists(cacertfile, "New CA cert")
    log.debug("file exists: %s" % cacertfile)
    
    args = [cacertfile]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
    cacertfilehash = stdout.strip()
    log.debug("cert file hash is '%s'" % cacertfilehash)
    
    newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
    log.debug("file exists: %s" % newpath)
    
    newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
    log.debug("file exists: %s" % newpath)
    
    # Signing policy
    
    signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
    args = [cacertfile, signing1]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_WRITE_SIGNING_POLICY, args=args)
    runutil.generic_bailout("Problem creating signing_policy file.", exitcode, stdout, stderr)
    pathutil.ensure_file_exists(signing1, "signing_policy file #1")
    log.debug("file exists: %s" % signing1)
    
    signing2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".signing_policy")
    shutil.copyfile(signing1, signing2)
    pathutil.ensure_file_exists(signing2, "signing_policy file #2")
    log.debug("file exists: %s" % signing2)
        
    # CRL
    
    crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
    args = [crl1, cacertfile, cakeyfile]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_CRL, args=args)
    runutil.generic_bailout("Problem creating revocation file.", exitcode, stdout, stderr)
    pathutil.ensure_file_exists(crl1, "revocation file #1")
    log.debug("file exists: %s" % crl1)
    
    crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
    shutil.copyfile(crl1, crl2)
    pathutil.ensure_file_exists(crl2, "revocation file #2")
    log.debug("file exists: %s" % crl2)
Пример #19
0
def _createCA(ca_name, basedir, cadir, log):

    javautil.check(basedir, log)

    # mkdir $cadir
    # mkdir $cadir/ca-certs
    # mkdir $cadir/trusted-certs
    # mkdir $cadir/user-certs

    os.mkdir(cadir)
    pathutil.ensure_dir_exists(cadir, "New CA directory")
    log.debug("Created %s" % cadir)

    cacertdir = pathutil.pathjoin(cadir, "ca-certs")
    os.mkdir(cacertdir)
    pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
    log.debug("Created %s" % cacertdir)

    trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
    os.mkdir(trustedcertdir)
    pathutil.ensure_dir_exists(trustedcertdir,
                               "New CA trusted certs directory")
    log.debug("Created %s" % trustedcertdir)

    usercertdir = pathutil.pathjoin(cadir, "user-certs")
    os.mkdir(usercertdir)
    pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
    log.debug("Created %s" % usercertdir)

    # Create the cert via autocommon

    args = [cacertdir, ca_name]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_CREATE_NEW_CA,
                                              args=args)
    runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)

    # Make the private key owner-readable only

    privkeyname = "private-key-" + ca_name + ".pem"
    cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
    pathutil.ensure_file_exists(cakeyfile, "New CA key")
    log.debug("file exists: %s" % cakeyfile)
    pathutil.make_path_rw_private(cakeyfile)
    pathutil.ensure_path_private(cakeyfile, "New CA key")
    log.debug("file made private: %s" % cakeyfile)

    # Copy the new certificate file to the "hash.0" version that some toolings
    # will expect.

    cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
    pathutil.ensure_file_exists(cacertfile, "New CA cert")
    log.debug("file exists: %s" % cacertfile)

    args = [cacertfile]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_GET_HASHED_CERT_NAME,
                                              args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
                            stdout, stderr)
    cacertfilehash = stdout.strip()
    log.debug("cert file hash is '%s'" % cacertfilehash)

    newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
    log.debug("file exists: %s" % newpath)

    newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
    shutil.copyfile(cacertfile, newpath)
    pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
    log.debug("file exists: %s" % newpath)

    # Signing policy

    signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
    args = [cacertfile, signing1]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_WRITE_SIGNING_POLICY,
                                              args=args)
    runutil.generic_bailout("Problem creating signing_policy file.", exitcode,
                            stdout, stderr)
    pathutil.ensure_file_exists(signing1, "signing_policy file #1")
    log.debug("file exists: %s" % signing1)

    signing2 = pathutil.pathjoin(trustedcertdir,
                                 cacertfilehash + ".signing_policy")
    shutil.copyfile(signing1, signing2)
    pathutil.ensure_file_exists(signing2, "signing_policy file #2")
    log.debug("file exists: %s" % signing2)

    # CRL

    crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
    args = [crl1, cacertfile, cakeyfile]
    (exitcode, stdout, stderr) = javautil.run(basedir,
                                              log,
                                              EXE_CREATE_CRL,
                                              args=args)
    runutil.generic_bailout("Problem creating revocation file.", exitcode,
                            stdout, stderr)
    pathutil.ensure_file_exists(crl1, "revocation file #1")
    log.debug("file exists: %s" % crl1)

    crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
    shutil.copyfile(crl1, crl2)
    pathutil.ensure_file_exists(crl2, "revocation file #2")
    log.debug("file exists: %s" % crl2)
Пример #20
0
def createCert(CN, basedir, cadir, certtarget, keytarget, log, 
        allow_overwrite=False):
    
    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)
    
    cacert_path = findCAcert(basedir, cadir, log)
    cakey_path = findCAkey(basedir, cadir, log)
    
    # Create temp directory.
    uuid = pathutil.uuidgen()
    tempdir = pathutil.pathjoin(cadir, uuid)
    os.mkdir(tempdir)
    pathutil.ensure_dir_exists(tempdir, "temp certs directory")
    log.debug("Created %s" % tempdir)
    
    args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args)
    runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr)
    
    pub_DN = stdout.strip()
    
    temp_pub_path = pathutil.pathjoin(tempdir, "pub")
    pathutil.ensure_file_exists(temp_pub_path, "temp cert")
    log.debug("temp cert exists: " + temp_pub_path)
    
    # copy that to user-cert records
    args = [temp_pub_path]
    (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
    runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
    usercertfilehash = stdout.strip()
    log.debug("user cert file hash is '%s'" % usercertfilehash)
    cert_records_path = pathutil.pathjoin(cadir, "user-certs")
    cert_records_path = pathutil.pathjoin(cert_records_path,
                                          usercertfilehash + ".0")
    shutil.copyfile(temp_pub_path, cert_records_path)
    pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
    log.debug("cert exists at target: " + cert_records_path)
    
    temp_priv_path = pathutil.pathjoin(tempdir, "priv")
    pathutil.ensure_file_exists(temp_priv_path, "temp key")
    log.debug("temp key exists: " + temp_priv_path)
    
    log.debug("Created certificate: %s" % pub_DN)
    
    # Those user-supplied targets still don't exist, right? :-)
    if not allow_overwrite and pathutil.check_path_exists(certtarget):
        msg = "Certificate file present already: " + certtarget
        raise IncompatibleEnvironment(msg)
    if not allow_overwrite and pathutil.check_path_exists(keytarget):
        msg = "Key file present already: " + keytarget
        raise IncompatibleEnvironment(msg)
    
    shutil.copyfile(temp_pub_path, certtarget)
    pathutil.ensure_file_exists(certtarget, "new certificate")
    log.debug("cert exists at target: " + certtarget)
    
    shutil.copyfile(temp_priv_path, keytarget)
    pathutil.ensure_file_exists(keytarget, "new key")
    log.debug("key exists at target: " + keytarget)
    
    pathutil.make_path_rw_private(keytarget)
    pathutil.ensure_path_private(keytarget, "new key")
    log.debug("file made private: %s" % keytarget)
    
    shutil.rmtree(tempdir)

    return pub_DN