mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Commit corrected certs.py
This commit is contained in:
Karl MacMillan
parent
3b4f0db73e
commit
158b4e8ff4
@ -25,18 +25,29 @@ from ipa import ipautil
|
||||
class CertDB(object):
|
||||
def __init__(self, dir):
|
||||
self.secdir = dir
|
||||
self.prefix = "new-"
|
||||
|
||||
self.noise_fname = self.secdir + "/noise.txt"
|
||||
self.passwd_fname = self.secdir + "/pwdfile.txt"
|
||||
self.certdb_fname = self.secdir + "/cert8.db"
|
||||
self.keydb_fname = self.secdir + "/key3.db"
|
||||
self.secmod_fname = self.secdir + "/secmod.db"
|
||||
self.cacert_fname = self.secdir + "/cacert.asc"
|
||||
self.pk12_fname = self.secdir + "/cacert.p12"
|
||||
self.pin_fname = self.secdir + "/pin.txt"
|
||||
self.certreq_fname = self.secdir + "/tmpcertreq"
|
||||
self.certder_fname = self.secdir + "/tmpcert.der"
|
||||
|
||||
# Making this a starting value that will generate
|
||||
# unique values for the current DB is the
|
||||
# responsibility of the caller for now. In the
|
||||
# future we might automatically determine this
|
||||
# for a given db.
|
||||
self.cur_serial = 1000
|
||||
|
||||
self.cacert_name = "CA certificate"
|
||||
self.valid_months = "120"
|
||||
self.keysize = "1024"
|
||||
|
||||
# We are going to set the owner of all of the cert
|
||||
# files to the owner of the containing directory
|
||||
# instead of that of the process. This works when
|
||||
@ -46,6 +57,11 @@ class CertDB(object):
|
||||
self.uid = mode[stat.ST_UID]
|
||||
self.gid = mode[stat.ST_GID]
|
||||
|
||||
def next_serial(self):
|
||||
r = self.cur_serial
|
||||
self.cur_serial += 1
|
||||
return str(r)
|
||||
|
||||
def set_perms(self, fname, write=False):
|
||||
os.chown(fname, self.uid, self.gid)
|
||||
perms = stat.S_IRUSR
|
||||
@ -80,6 +96,7 @@ class CertDB(object):
|
||||
def create_certdbs(self):
|
||||
ipautil.backup_file(self.certdb_fname)
|
||||
ipautil.backup_file(self.keydb_fname)
|
||||
ipautil.backup_file(self.secmod_fname)
|
||||
self.run_certutil(["-N",
|
||||
"-f", self.passwd_fname])
|
||||
self.set_perms(self.passwd_fname, write=True)
|
||||
@ -88,14 +105,15 @@ class CertDB(object):
|
||||
# Generate the encryption key
|
||||
self.run_certutil(["-G", "-z", self.noise_fname, "-f", self.passwd_fname])
|
||||
# Generate the self-signed cert
|
||||
self.run_certutil(["-S", "-n", "CA certificate",
|
||||
self.run_certutil(["-S", "-n", self.cacert_name,
|
||||
"-s", "cn=CAcert",
|
||||
"-x",
|
||||
"-t", "CT,,",
|
||||
"-m", "1000",
|
||||
"-v", "120",
|
||||
"-m", self.next_serial(),
|
||||
"-v", self.valid_months,
|
||||
"-z", self.noise_fname,
|
||||
"-f", self.passwd_fname])
|
||||
|
||||
# export the CA cert for use with other apps
|
||||
ipautil.backup_file(self.cacert_fname)
|
||||
self.run_certutil(["-L", "-n", "CA certificate",
|
||||
@ -111,43 +129,54 @@ class CertDB(object):
|
||||
self.set_perms(self.pk12_fname)
|
||||
|
||||
def load_cacert(self, cacert_fname):
|
||||
self.run_certutil(["-A", "-n", "CA certificate",
|
||||
self.run_certutil(["-A", "-n", self.cacert_name,
|
||||
"-t", "CT,CT,",
|
||||
"-a",
|
||||
"-i", cacert_fname])
|
||||
|
||||
def create_server_cert(self, nickname, name):
|
||||
self.run_certutil(["-S", "-n", nickname,
|
||||
"-s", name,
|
||||
"-c", "CA certificate",
|
||||
"-t", "u,u,u",
|
||||
"-m", "1001",
|
||||
"-v", "120",
|
||||
"-z", self.noise_fname,
|
||||
"-f", self.passwd_fname])
|
||||
def create_server_cert(self, nickname, name, other_certdb=None):
|
||||
cdb = other_certdb
|
||||
if not cdb:
|
||||
cdb = self
|
||||
self.request_cert(name)
|
||||
cdb.issue_cert(self.certreq_fname, self.certder_fname)
|
||||
self.add_cert(self.certder_fname, nickname)
|
||||
os.unlink(self.certreq_fname)
|
||||
os.unlink(self.certder_fname)
|
||||
|
||||
def request_cert(self, name):
|
||||
self.run_certutil(["-R", "-s", name,
|
||||
"-o", self.certreq_fname,
|
||||
"-g", "1024",
|
||||
"-g", self.keysize,
|
||||
"-z", self.noise_fname,
|
||||
"-f", self.passwd_fname])
|
||||
|
||||
def issue_cert(self, certreq_fname, cert_fname):
|
||||
p = subprocess.Popen(["/usr/bin/certutil",
|
||||
"-d", self.secdir,
|
||||
"-C", "-c", "CA certificate",
|
||||
"-C", "-c", self.cacert_name,
|
||||
"-i", certreq_fname,
|
||||
"-o", cert_fname,
|
||||
"-m", "1002",
|
||||
"-v", "120",
|
||||
"-m", self.next_serial(),
|
||||
"-v", self.valid_months,
|
||||
"-f", self.passwd_fname,
|
||||
"-1", "-5"],
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE)
|
||||
|
||||
# bah - this sucks, but I guess it isn't possible to fully
|
||||
# control this with command line arguments
|
||||
# Bah - this sucks, but I guess it isn't possible to fully
|
||||
# control this with command line arguments.
|
||||
#
|
||||
# What this is requesting is:
|
||||
# -1 (Create key usage extension)
|
||||
# 2 - Key encipherment
|
||||
# 9 - done
|
||||
# n - not critical
|
||||
#
|
||||
# -5 (Create netscape cert type extension)
|
||||
# 1 - SSL Server
|
||||
# 9 - done
|
||||
# n - not critical
|
||||
p.stdin.write("2\n9\nn\n1\n9\nn\n")
|
||||
p.wait()
|
||||
|
||||
@ -158,14 +187,6 @@ class CertDB(object):
|
||||
"-i", cert_fname,
|
||||
"-f", cert_fname])
|
||||
|
||||
def create_server_cert_extca(self, nickname, name, other_certdb):
|
||||
self.request_cert(name)
|
||||
other_certdb.issue_cert(self.certreq_fname, self.certder_fname)
|
||||
self.add_cert(self.certder_fname, nickname)
|
||||
os.unlink(self.certreq_fname)
|
||||
os.unlink(self.certder_fname)
|
||||
|
||||
|
||||
def create_pin_file(self):
|
||||
ipautil.backup_file(self.pin_fname)
|
||||
f = open(self.pin_fname, "w")
|
||||
|
||||
Loading…
Reference in New Issue
Block a user