def generate_crl(self):
openssl_lock.acquire()
try:
conf_path = os.path.join(self.path, TEMP_DIR, 'crl.conf')
conf_data = CERT_CONF % (self.id, self.path,
app_server.key_bits, CA_CERT_ID)
with open(conf_path, 'w') as conf_file:
conf_file.write(conf_data)
args = [
'openssl', 'ca', '-gencrl', '-batch',
'-config', conf_path,
'-out', self.crl_path
]
subprocess.check_call(args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
os.remove(conf_path)
except subprocess.CalledProcessError:
logger.exception('Failed to generate server crl. %r' % {
'org_id': self.id,
})
raise
finally:
openssl_lock.release()
for server in self.get_servers():
if server.status:
server.restart()
def _cert_request(self):
openssl_lock.acquire()
try:
args = [
'openssl',
'req',
'-new',
'-batch',
'-config',
self.ssl_conf_path,
'-out',
self.reqs_path,
'-keyout',
self.key_path,
'-reqexts',
'%s_req_ext' % self.type,
]
subprocess.check_call(args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
except subprocess.CalledProcessError:
logger.exception('Failed to create user cert requests. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
raise
finally:
openssl_lock.release()
os.chmod(self.key_path, 0600)
def _cert_create(self):
openssl_lock.acquire()
try:
args = ['openssl', 'ca', '-batch']
if self.type == CERT_CA:
args += ['-selfsign']
args += [
'-config',
self.ssl_conf_path,
'-in',
self.reqs_path,
'-out',
self.cert_path,
'-extensions',
'%s_ext' % self.type,
]
subprocess.check_call(args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
except subprocess.CalledProcessError:
logger.exception('Failed to create user cert. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
raise
finally:
openssl_lock.release()
def _revoke(self, reason):
if self.id == CA_CERT_ID:
raise TypeError("Cannot revoke ca cert")
if not os.path.isfile(self.cert_path):
logger.warning("Skipping revoke of non existent user. %r" % {"org_id": self.org.id, "user_id": self.id})
return
openssl_lock.acquire()
try:
self._create_ssl_conf()
args = [
"openssl",
"ca",
"-batch",
"-config",
self.ssl_conf_path,
"-revoke",
self.cert_path,
"-crl_reason",
reason,
]
proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
returncode = proc.wait()
if returncode != 0:
err_output = proc.communicate()[1]
if "ERROR:Already revoked" not in err_output:
raise subprocess.CalledProcessError(returncode, args)
self._delete_ssl_conf()
except subprocess.CalledProcessError:
logger.exception("Failed to revoke user cert. %r" % {"org_id": self.org.id, "user_id": self.id})
raise
finally:
openssl_lock.release()
self.org.generate_crl()
def generate_crl(self):
openssl_lock.acquire()
try:
conf_path = os.path.join(self.path, TEMP_DIR, 'crl.conf')
conf_data = CERT_CONF % (self.id, self.path, app_server.key_bits,
CA_CERT_ID)
with open(conf_path, 'w') as conf_file:
conf_file.write(conf_data)
args = [
'openssl', 'ca', '-gencrl', '-batch', '-config', conf_path,
'-out', self.crl_path
]
subprocess.check_call(args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
os.remove(conf_path)
except subprocess.CalledProcessError:
logger.exception('Failed to generate server crl. %r' % {
'org_id': self.id,
})
raise
finally:
openssl_lock.release()
for server in self.get_servers():
if server.status:
server.restart()
def _cert_request(self):
openssl_lock.acquire()
try:
args = [
'openssl', 'req', '-new', '-batch',
'-config', self.ssl_conf_path,
'-out', self.reqs_path,
'-keyout', self.key_path,
'-reqexts', '%s_req_ext' % self.type,
]
subprocess.check_call(args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
except subprocess.CalledProcessError:
logger.exception('Failed to create user cert requests. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
raise
finally:
openssl_lock.release()
os.chmod(self.key_path, 0600)
def _cert_create(self):
openssl_lock.acquire()
try:
args = ['openssl', 'ca', '-batch']
if self.type == CERT_CA:
args += ['-selfsign']
args += [
'-config', self.ssl_conf_path,
'-in', self.reqs_path,
'-out', self.cert_path,
'-extensions', '%s_ext' % self.type,
]
subprocess.check_call(args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
except subprocess.CalledProcessError:
logger.exception('Failed to create user cert. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
raise
finally:
openssl_lock.release()
def _cert_create(self):
openssl_lock.acquire()
try:
args = ["openssl", "ca", "-batch"]
if self.type == CERT_CA:
args += ["-selfsign"]
args += [
"-config",
self.ssl_conf_path,
"-in",
self.reqs_path,
"-out",
self.cert_path,
"-extensions",
"%s_ext" % self.type,
]
subprocess.check_call(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except subprocess.CalledProcessError:
logger.exception("Failed to create user cert. %r" % {"org_id": self.org.id, "user_id": self.id})
raise
finally:
openssl_lock.release()
def _revoke(self, reason):
if self.id == CA_CERT_ID:
raise TypeError('Cannot revoke ca cert')
if not os.path.isfile(self.cert_path):
logger.warning('Skipping revoke of non existent user. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
return
openssl_lock.acquire()
try:
self._create_ssl_conf()
args = [
'openssl', 'ca', '-batch', '-config', self.ssl_conf_path,
'-revoke', self.cert_path, '-crl_reason', reason
]
proc = subprocess.Popen(args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
returncode = proc.wait()
if returncode != 0:
err_output = proc.communicate()[1]
if 'ERROR:Already revoked' not in err_output:
raise subprocess.CalledProcessError(returncode, args)
self._delete_ssl_conf()
except subprocess.CalledProcessError:
logger.exception('Failed to revoke user cert. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
raise
finally:
openssl_lock.release()
self.org.generate_crl()
def _revoke(self, reason):
if self.id == CA_CERT_ID:
raise TypeError('Cannot revoke ca cert')
if not os.path.isfile(self.cert_path):
logger.warning('Skipping revoke of non existent user. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
return
openssl_lock.acquire()
try:
self._create_ssl_conf()
args = ['openssl', 'ca', '-batch',
'-config', self.ssl_conf_path,
'-revoke', self.cert_path,
'-crl_reason', reason
]
proc = subprocess.Popen(args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
returncode = proc.wait()
if returncode != 0:
err_output = proc.communicate()[1]
if 'ERROR:Already revoked' not in err_output:
raise subprocess.CalledProcessError(returncode, args)
self._delete_ssl_conf()
except subprocess.CalledProcessError:
logger.exception('Failed to revoke user cert. %r' % {
'org_id': self.org.id,
'user_id': self.id,
})
raise
finally:
openssl_lock.release()
self.org.generate_crl()
def _cert_request(self):
openssl_lock.acquire()
try:
args = [
"openssl",
"req",
"-new",
"-batch",
"-config",
self.ssl_conf_path,
"-out",
self.reqs_path,
"-keyout",
self.key_path,
"-reqexts",
"%s_req_ext" % self.type,
]
subprocess.check_call(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except subprocess.CalledProcessError:
logger.exception("Failed to create user cert requests. %r" % {"org_id": self.org.id, "user_id": self.id})
raise
finally:
openssl_lock.release()
os.chmod(self.key_path, 0600)