def setup(self): """ Configure the RA with its own certificates. :return: """ if CertificateManager.cert_file_exists("ra.cert"): # Certificate exists self.cert = CertificateManager.load_cert("ra.cert") else: # Not found, create new certificate for the RA if self.verbose: print("Generating new RA certificate.") if self.ca is None or not isinstance(self.ca, CA): raise ValueError("The \"ca\" field must be defined and instance of CA to setup an RA.") # Create certificate own certificate on behalf of the CA keys = CertificateManager.create_key_pair(self.default_key_type, self.default_key_size) csr = CertificateManager.create_csr(keys, C="NO", ST="Oslo", L="Oslo", O=self.organisation, OU="RA", CN="RA") issuer = self.ca.get_root_certificate().get_issuer() # Issuer of root certificate (i.e. root CA) cert = CertificateManager.create_cert(csr, self.get_next_serial(), issuer, self.ca.get_keys(), ca=True) # Save certificate, keys and files CertificateManager.save_cert(cert, CONFIG["pki"]["ra-cert-name"]) CertificateManager.save_pkey(keys, CONFIG["pki"]["ra-pkey-name"]) self.cert = cert
def setup(self, peer=None, epg=None): # Load config self.name = CONFIG["endpoints"]["server-name"] self.address = CONFIG["endpoints"]["server-addr"] self.port = CONFIG["endpoints"]["server-port"] self.verbose = CONFIG["verbose"] self.epg = epg self.peer = peer # Create Client peer self.peer = EP(name=CONFIG["endpoints"]["client-name"], address=CONFIG["endpoints"]["client-addr"], port=CONFIG["endpoints"]["client-port"], epg=CONFIG["endpoints"]["client-epg"]) # Load key material to create or request connection-specific certificate server_pkey_name = CONFIG["pki"]["server-pkey-name"] server_cert_name = CONFIG["pki"]["server-cert-name"] if not CM.cert_file_exists( server_pkey_name) or not CM.cert_file_exists(server_cert_name): # Request certificate from RA keys = CM.create_key_pair() csr = CM.create_csr(keys) request = CertificateRequest(self, self.peer, csr) cert = self.ra.request_certificate(request) if cert is None: raise ConnectionError( "Could not retrieve certificate needed to establish TLS connection." ) # Save keys and certificate CM.save_pkey(keys, server_pkey_name) CM.save_cert(cert, server_cert_name) self.cert = cert self.keys = keys else: self.keys = CM.load_pkey(server_pkey_name) self.cert = CM.load_cert(server_cert_name) # Create context self.context = SSL.Context(SSL.TLSv1_2_METHOD) self.context.set_options(SSL.OP_NO_TLSv1_2) self.context.set_verify( SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.ssl_verify_cb) self.context.set_ocsp_server_callback(self.ocsp_server_cb, data=self.name) self.context.use_privatekey(self.keys) self.context.use_certificate(self.cert) self.context.load_verify_locations( CM.get_cert_path(CONFIG["pki"]["ca-cert-name"]))
def __init__(self, ca): self.ca = ca self.private_key = CertificateManager.load_pkey(CONFIG["pki"]["server-pkey-name"]) self.certificate = CertificateManager.load_cert(CONFIG["pki"]["server-cert-name"]) self.ca_certificate = ca.get_root_certificate() self.ra = ca.get_ra() self.context = self.get_context() self.connection = None self.clients = {} self.writers = {} atexit.register(self.shutdown) super(Server, self).__init__()
def setup(self, peer, epg=None): # Load config self.name = CONFIG["endpoints"]["client-name"] self.address = CONFIG["endpoints"]["client-addr"] self.port = CONFIG["endpoints"]["client-port"] self.verbose = CONFIG["verbose"] self.epg = epg self.peer = peer # Load or request keys and certificate client_pkey_name = CONFIG["pki"]["client-pkey-name"] client_cert_name = CONFIG["pki"]["client-cert-name"] self.ca_cert_name = CONFIG["pki"]["ca-cert-name"] if not CM.cert_file_exists( client_pkey_name) or not CM.cert_file_exists(client_cert_name): # Request certificate from RA keys = CM.create_key_pair() csr = CM.create_csr(keys) request = CertificateRequest(self, self.peer, csr) cert = self.ra.request_certificate(request) if cert is None: raise ConnectionError( "Could not retrieve certificate needed to establish TLS connection. " "RA returned None.") # Save keys and certificate CM.save_pkey(keys, client_pkey_name) CM.save_cert(cert, client_cert_name) self.keys = keys self.cert = cert else: self.keys = CM.load_pkey(client_pkey_name) self.cert = CM.load_cert(client_cert_name) # Define context ctx = SSL.Context(SSL.TLSv1_2_METHOD) ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.ssl_verify_cb) ctx.set_verify_depth(2) ctx.use_privatekey(self.keys) ctx.use_certificate(self.cert) ctx.load_verify_locations( CM.get_cert_path(CONFIG["pki"]["ca-cert-name"])) ctx.set_ocsp_client_callback(self.ocsp_client_callback, data=self.name) self.context = ctx
def get_root_certificate(): """ Get the certificate for the root CA :return: """ if CertificateManager.cert_file_exists(CONFIG["pki"]["ca-cert-name"]): # Certificate exists return CertificateManager.load_cert(CONFIG["pki"]["ca-cert-name"]) else: # Create CA certificate pkey = CertificateManager.create_key_pair() csr = CertificateManager.create_csr(pkey, O="AC-PKI", OU="CA", C="NO", ST="Oslo", L="Oslo", CN="Root CA") cert = CertificateManager.create_self_signed_cert(csr, pkey, RA.get_next_serial()) # Save files and return CertificateManager.save_pkey(pkey, CONFIG["pki"]["ca-pkey-name"]) CertificateManager.save_cert(cert, CONFIG["pki"]["ca-cert-name"]) return cert
shared via Git and will therefore need to be created on each individual system. """ print("Setting up certificates...") # Create certs directory if it does not already exist if not os.path.exists(CertificateManager.get_cert_path()): os.makedirs(CertificateManager.get_cert_path()) print("Created certs directory") # Create CA certificate if CertificateManager.cert_file_exists( "ca.cert") and CertificateManager.cert_file_exists("ca.pkey"): # Load existing print("Loading existing CA certificate from file") ca_cert = CertificateManager.load_cert("ca.cert") ca_key_pair = CertificateManager.load_pkey("ca.pkey") else: # Generate new print("Generating CA certificate") ca_key_pair = CertificateManager.create_key_pair(crypto.TYPE_RSA, 2048) csr = CertificateManager.create_csr(ca_key_pair, C="NO", ST="Oslo", O="Corp", OU="Blab") ca_cert = CertificateManager.create_self_signed_cert(csr, ca_key_pair, 0) CertificateManager.save_pkey(ca_key_pair, "ca.pkey") CertificateManager.save_cert(ca_cert, "ca.cert") # Create client certificate