示例#1
0
def GenerateKeys(config, overwrite_keys=False):
    """Generate the keys we need for a GRR server."""
    if not hasattr(key_utils, "MakeCACert"):
        parser.error("Generate keys can only run with open source key_utils.")
    if (config.Get("PrivateKeys.server_key", default=None)
            and not overwrite_keys):
        print config.Get("PrivateKeys.server_key")
        raise RuntimeError(
            "Config %s already has keys, use --overwrite_keys to "
            "override." % config.parser)

    length = grr_config.CONFIG["Server.rsa_key_length"]
    print "All keys will have a bit length of %d." % length
    print "Generating executable signing key"
    executable_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
    config.Set("PrivateKeys.executable_signing_private_key",
               executable_key.AsPEM())
    config.Set("Client.executable_signing_public_key",
               executable_key.GetPublicKey().AsPEM())

    print "Generating CA keys"
    ca_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
    ca_cert = key_utils.MakeCACert(ca_key)
    config.Set("CA.certificate", ca_cert.AsPEM())
    config.Set("PrivateKeys.ca_key", ca_key.AsPEM())

    print "Generating Server keys"
    server_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
    server_cert = key_utils.MakeCASignedCert(u"grr", server_key, ca_cert,
                                             ca_key)
    config.Set("Frontend.certificate", server_cert.AsPEM())
    config.Set("PrivateKeys.server_key", server_key.AsPEM())

    print "Generating secret key for csrf protection."
    GenerateCSRFKey(config)
示例#2
0
def RotateServerKey(cn=u"grr", keylength=4096):
  """This function creates and installs a new server key.

  Note that

  - Clients might experience intermittent connection problems after
    the server keys rotated.

  - It's not possible to go back to an earlier key. Clients that see a
    new certificate will remember the cert's serial number and refuse
    to accept any certificate with a smaller serial number from that
    point on.

  Args:
    cn: The common name for the server to use.
    keylength: Length in bits for the new server key.
  Raises:
    ValueError: There is no CA cert in the config. Probably the server
                still needs to be initialized.
  """
  ca_certificate = config.CONFIG["CA.certificate"]
  ca_private_key = config.CONFIG["PrivateKeys.ca_key"]

  if not ca_certificate or not ca_private_key:
    raise ValueError("No existing CA certificate found.")

  # Check the current certificate serial number
  existing_cert = config.CONFIG["Frontend.certificate"]

  serial_number = existing_cert.GetSerialNumber() + 1
  EPrint("Generating new server key (%d bits, cn '%s', serial # %d)" %
         (keylength, cn, serial_number))

  server_private_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=keylength)
  server_cert = key_utils.MakeCASignedCert(
      unicode(cn),
      server_private_key,
      ca_certificate,
      ca_private_key,
      serial_number=serial_number)

  EPrint("Updating configuration.")
  config.CONFIG.Set("Frontend.certificate", server_cert)
  config.CONFIG.Set("PrivateKeys.server_key", server_private_key.AsPEM())
  config.CONFIG.Write()

  EPrint("Server key rotated, please restart the GRR Frontends.")