def GenerateKeys(config, overwrite_keys=False): """Generate the keys we need for a GRR server.""" if not hasattr(key_utils, "MakeCACert"): parser.error("Generate keys can only run with open source key_utils.") if (config.Get("PrivateKeys.server_key", default=None) and not overwrite_keys): print config.Get("PrivateKeys.server_key") raise RuntimeError( "Config %s already has keys, use --overwrite_keys to " "override." % config.parser) length = grr_config.CONFIG["Server.rsa_key_length"] print "All keys will have a bit length of %d." % length print "Generating executable signing key" executable_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length) config.Set("PrivateKeys.executable_signing_private_key", executable_key.AsPEM()) config.Set("Client.executable_signing_public_key", executable_key.GetPublicKey().AsPEM()) print "Generating CA keys" ca_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length) ca_cert = key_utils.MakeCACert(ca_key) config.Set("CA.certificate", ca_cert.AsPEM()) config.Set("PrivateKeys.ca_key", ca_key.AsPEM()) print "Generating Server keys" server_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length) server_cert = key_utils.MakeCASignedCert(u"grr", server_key, ca_cert, ca_key) config.Set("Frontend.certificate", server_cert.AsPEM()) config.Set("PrivateKeys.server_key", server_key.AsPEM()) print "Generating secret key for csrf protection." GenerateCSRFKey(config)
def RotateServerKey(cn=u"grr", keylength=4096): """This function creates and installs a new server key. Note that - Clients might experience intermittent connection problems after the server keys rotated. - It's not possible to go back to an earlier key. Clients that see a new certificate will remember the cert's serial number and refuse to accept any certificate with a smaller serial number from that point on. Args: cn: The common name for the server to use. keylength: Length in bits for the new server key. Raises: ValueError: There is no CA cert in the config. Probably the server still needs to be initialized. """ ca_certificate = config.CONFIG["CA.certificate"] ca_private_key = config.CONFIG["PrivateKeys.ca_key"] if not ca_certificate or not ca_private_key: raise ValueError("No existing CA certificate found.") # Check the current certificate serial number existing_cert = config.CONFIG["Frontend.certificate"] serial_number = existing_cert.GetSerialNumber() + 1 EPrint("Generating new server key (%d bits, cn '%s', serial # %d)" % (keylength, cn, serial_number)) server_private_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=keylength) server_cert = key_utils.MakeCASignedCert( unicode(cn), server_private_key, ca_certificate, ca_private_key, serial_number=serial_number) EPrint("Updating configuration.") config.CONFIG.Set("Frontend.certificate", server_cert) config.CONFIG.Set("PrivateKeys.server_key", server_private_key.AsPEM()) config.CONFIG.Write() EPrint("Server key rotated, please restart the GRR Frontends.")