def perform_setup(self):
# first, set up CA and host cert/key
ca_name = self["ca.name"]
if not os.path.exists(self.cadir):
ca_name = self.ask_ca_name()
self['ca.name'] = ca_name
autoca.createCA(ca_name, self.basedir, self.cadir, log)
if not ca_name:
raise InvalidConfig("CA name is unknown")
ca_cert = os.path.join(self.cadir, 'ca-certs/%s.pem' % ca_name)
ca_key = os.path.join(self.cadir,
'ca-certs/private-key-%s.pem' % ca_name)
pathutil.ensure_file_exists(ca_cert, "CA certificate")
pathutil.ensure_file_exists(ca_key, "CA private key")
hostname = self.get_hostname_or_ask()
#TODO the hostcert/key creation should be extracted from here
# right now it just does a bunch of redundant checks first
checkssl.run(self.basedir,
self.hostcert_path,
self.hostkey_path,
log,
cadir=self.cadir,
hostname=hostname)
password = self['keystore.pass']
if not password:
raise InvalidConfig("Keystore password is unknown")
try:
autoca.ensureKeystore(self.hostcert_path, self.hostkey_path,
self.keystore_path, password, self.basedir,
log)
except autoca.KeystoreMismatchError:
raise IncompatibleEnvironment(
KEYSTORE_MISMATCH_MSG % {
'keystore': self.keystore_path,
'hostcert': self.hostcert_path,
'hostkey': self.hostkey_path
})
pathutil.make_path_rw_private(self.keystore_path)
# then setup GT container
gtcontainer.adjust_hostname(hostname, self.basedir, self.gtdir, log)
gtcontainer.adjust_secdesc_path(self.basedir, self.gtdir, log)
gtcontainer.adjust_host_cert(self.hostcert_path, self.hostkey_path,
self.basedir, self.gtdir, log)
gtcontainer.adjust_gridmap_file(self.gridmap_path, self.basedir,
self.gtdir, log)
# and context broker
gtcontainer.adjust_broker_config(ca_cert, ca_key, self.keystore_path,
password, self.basedir, self.gtdir,
log)
# write an enviroment file
self.write_env_file()
def perform_setup(self):
# first, set up CA and host cert/key
ca_name = self["ca.name"]
if not os.path.exists(self.cadir):
ca_name = self.ask_ca_name()
self['ca.name'] = ca_name
autoca.createCA(ca_name, self.basedir, self.cadir, log)
if not ca_name:
raise InvalidConfig("CA name is unknown")
ca_cert = os.path.join(self.cadir, 'ca-certs/%s.pem' % ca_name)
ca_key = os.path.join(self.cadir, 'ca-certs/private-key-%s.pem' % ca_name)
pathutil.ensure_file_exists(ca_cert, "CA certificate")
pathutil.ensure_file_exists(ca_key, "CA private key")
hostname = self.get_hostname_or_ask()
#TODO the hostcert/key creation should be extracted from here
# right now it just does a bunch of redundant checks first
checkssl.run(self.basedir, self.hostcert_path, self.hostkey_path, log,
cadir=self.cadir, hostname=hostname)
password = self['keystore.pass']
if not password:
raise InvalidConfig("Keystore password is unknown")
try:
autoca.ensureKeystore(self.hostcert_path, self.hostkey_path,
self.keystore_path, password, self.basedir, log)
except autoca.KeystoreMismatchError:
raise IncompatibleEnvironment(KEYSTORE_MISMATCH_MSG % {
'keystore' : self.keystore_path,
'hostcert' : self.hostcert_path,
'hostkey' : self.hostkey_path })
pathutil.make_path_rw_private(self.keystore_path)
# then setup GT container
gtcontainer.adjust_hostname(hostname, self.basedir, self.gtdir, log)
gtcontainer.adjust_secdesc_path(self.basedir, self.gtdir, log)
gtcontainer.adjust_host_cert(self.hostcert_path, self.hostkey_path,
self.basedir, self.gtdir, log)
gtcontainer.adjust_gridmap_file(self.gridmap_path, self.basedir,
self.gtdir, log)
# and context broker
gtcontainer.adjust_broker_config(ca_cert, ca_key, self.keystore_path,
password, self.basedir, self.gtdir, log)
# write an enviroment file
self.write_env_file()
def createCert(CN,
basedir,
cadir,
certtarget,
keytarget,
log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_NEW_CERT,
args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout,
stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_HASHED_CERT_NAME,
args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
def _createCA(ca_name, basedir, cadir, log):
javautil.check(basedir, log)
# mkdir $cadir
# mkdir $cadir/ca-certs
# mkdir $cadir/trusted-certs
# mkdir $cadir/user-certs
os.mkdir(cadir)
pathutil.ensure_dir_exists(cadir, "New CA directory")
log.debug("Created %s" % cadir)
cacertdir = pathutil.pathjoin(cadir, "ca-certs")
os.mkdir(cacertdir)
pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
log.debug("Created %s" % cacertdir)
trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
os.mkdir(trustedcertdir)
pathutil.ensure_dir_exists(trustedcertdir,
"New CA trusted certs directory")
log.debug("Created %s" % trustedcertdir)
usercertdir = pathutil.pathjoin(cadir, "user-certs")
os.mkdir(usercertdir)
pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
log.debug("Created %s" % usercertdir)
# Create the cert via autocommon
args = [cacertdir, ca_name]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_NEW_CA,
args=args)
runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)
# Make the private key owner-readable only
privkeyname = "private-key-" + ca_name + ".pem"
cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
pathutil.ensure_file_exists(cakeyfile, "New CA key")
log.debug("file exists: %s" % cakeyfile)
pathutil.make_path_rw_private(cakeyfile)
pathutil.ensure_path_private(cakeyfile, "New CA key")
log.debug("file made private: %s" % cakeyfile)
# Copy the new certificate file to the "hash.0" version that some toolings
# will expect.
cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
pathutil.ensure_file_exists(cacertfile, "New CA cert")
log.debug("file exists: %s" % cacertfile)
args = [cacertfile]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_HASHED_CERT_NAME,
args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
stdout, stderr)
cacertfilehash = stdout.strip()
log.debug("cert file hash is '%s'" % cacertfilehash)
newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
log.debug("file exists: %s" % newpath)
newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
log.debug("file exists: %s" % newpath)
# Signing policy
signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
args = [cacertfile, signing1]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_WRITE_SIGNING_POLICY,
args=args)
runutil.generic_bailout("Problem creating signing_policy file.", exitcode,
stdout, stderr)
pathutil.ensure_file_exists(signing1, "signing_policy file #1")
log.debug("file exists: %s" % signing1)
signing2 = pathutil.pathjoin(trustedcertdir,
cacertfilehash + ".signing_policy")
shutil.copyfile(signing1, signing2)
pathutil.ensure_file_exists(signing2, "signing_policy file #2")
log.debug("file exists: %s" % signing2)
# CRL
crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
args = [crl1, cacertfile, cakeyfile]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_CRL,
args=args)
runutil.generic_bailout("Problem creating revocation file.", exitcode,
stdout, stderr)
pathutil.ensure_file_exists(crl1, "revocation file #1")
log.debug("file exists: %s" % crl1)
crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
shutil.copyfile(crl1, crl2)
pathutil.ensure_file_exists(crl2, "revocation file #2")
log.debug("file exists: %s" % crl2)
def createCert(CN, basedir, cadir, certtarget, keytarget, log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
def _createCA(ca_name, basedir, cadir, log):
javautil.check(basedir, log)
# mkdir $cadir
# mkdir $cadir/ca-certs
# mkdir $cadir/trusted-certs
# mkdir $cadir/user-certs
os.mkdir(cadir)
pathutil.ensure_dir_exists(cadir, "New CA directory")
log.debug("Created %s" % cadir)
cacertdir = pathutil.pathjoin(cadir, "ca-certs")
os.mkdir(cacertdir)
pathutil.ensure_dir_exists(cacertdir, "New CA certs directory")
log.debug("Created %s" % cacertdir)
trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs")
os.mkdir(trustedcertdir)
pathutil.ensure_dir_exists(trustedcertdir, "New CA trusted certs directory")
log.debug("Created %s" % trustedcertdir)
usercertdir = pathutil.pathjoin(cadir, "user-certs")
os.mkdir(usercertdir)
pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory")
log.debug("Created %s" % usercertdir)
# Create the cert via autocommon
args = [cacertdir, ca_name]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CA, args=args)
runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr)
# Make the private key owner-readable only
privkeyname = "private-key-" + ca_name + ".pem"
cakeyfile = pathutil.pathjoin(cacertdir, privkeyname)
pathutil.ensure_file_exists(cakeyfile, "New CA key")
log.debug("file exists: %s" % cakeyfile)
pathutil.make_path_rw_private(cakeyfile)
pathutil.ensure_path_private(cakeyfile, "New CA key")
log.debug("file made private: %s" % cakeyfile)
# Copy the new certificate file to the "hash.0" version that some toolings
# will expect.
cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem")
pathutil.ensure_file_exists(cacertfile, "New CA cert")
log.debug("file exists: %s" % cacertfile)
args = [cacertfile]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
cacertfilehash = stdout.strip()
log.debug("cert file hash is '%s'" % cacertfilehash)
newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)")
log.debug("file exists: %s" % newpath)
newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0")
shutil.copyfile(cacertfile, newpath)
pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)")
log.debug("file exists: %s" % newpath)
# Signing policy
signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy")
args = [cacertfile, signing1]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_WRITE_SIGNING_POLICY, args=args)
runutil.generic_bailout("Problem creating signing_policy file.", exitcode, stdout, stderr)
pathutil.ensure_file_exists(signing1, "signing_policy file #1")
log.debug("file exists: %s" % signing1)
signing2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".signing_policy")
shutil.copyfile(signing1, signing2)
pathutil.ensure_file_exists(signing2, "signing_policy file #2")
log.debug("file exists: %s" % signing2)
# CRL
crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0")
args = [crl1, cacertfile, cakeyfile]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_CRL, args=args)
runutil.generic_bailout("Problem creating revocation file.", exitcode, stdout, stderr)
pathutil.ensure_file_exists(crl1, "revocation file #1")
log.debug("file exists: %s" % crl1)
crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0")
shutil.copyfile(crl1, crl2)
pathutil.ensure_file_exists(crl2, "revocation file #2")
log.debug("file exists: %s" % crl2)