calculate
/
calculate-utils-2.2-lib
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2.2.27'
${ noResults }
calculate-utils-2.2-lib/pym/encrypt.py

604 lines
24 KiB
Raw Permalink Normal View History Unescape

Add modules
14 years ago
#-*- coding: utf-8 -*-
Change Mir Calculate Ltd to Calculate Ltd
14 years ago
# Copyright 2008-2010 Calculate Ltd. http://www.calculate-linux.org
Add modules
14 years ago
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import sys
import os
import hashlib
import crypt
import string
import time
from random import choice
Remove '\n' in result b64encode().
14 years ago
from base64 import encodestring as _b64enc
b64encode = lambda x: _b64enc(x).rstrip()
Fix work lib without py-smbpasswd. Without py-smbpasswd calculate-lib does not support crypt algoritm lm and nt.
14 years ago
try:
from smbpasswd import lmhash,nthash
except ImportError:
lmhash,nthash = None,None
Add modules
14 years ago
from cl_print import color_print
# для создания сертификата
Bugfix encrypt module
14 years ago
import pwd
Add modules
14 years ago
from server.utils import execProg
Added LDAP variables.
14 years ago
import cl_overriding
Add modules
14 years ago
import cl_lang
Added method created CA signed certificates.
14 years ago
from cl_utils import genpassword, removeDir
Add modules
14 years ago
# Перевод модуля
tr = cl_lang.lang()
tr.setLocalDomain('cl_lib')
tr.setLanguage(sys.modules[__name__])
class encrypt(color_print):
"""Класс хранения общих методов используемых для настройки сервисов
Методы шифрования, создания сертификатов и.т. д
"""
Added shadow_ssha512, shadow_ssha256, shadow_md5 hash generate
14 years ago
def __GenCryptSalt__(self, len=2):
Add modules
14 years ago
"""Генерация соли для хеширования пароля (CRYPT)"""
chars = string.letters + string.digits + "./"
salt = ""
Added shadow_ssha512, shadow_ssha256, shadow_md5 hash generate
14 years ago
for i in range(len):
Add modules
14 years ago
salt = salt + choice(chars)
return salt
def getHashPasswd(self, password, SecHashAlg):
"""Генерация хеша пароля,
Поддерживаемые алгоритмы шифрования пароля:
Added shadow_ssha512, shadow_ssha256, shadow_md5 hash generate
14 years ago
plain, md5, smd5, crypt, sha, ssha, lm, nt, shadow_ssha512,
shadow_ssha256, shadow_md5
Add modules
14 years ago
"""
if not password:
Added method created CA signed certificates.
14 years ago
self.printERROR(_("ERROR") + " getHashPasswd: " +
Sync english messages with i18n.
13 years ago
_("empty password"))
Add modules
14 years ago
return False
hashPwd = ""
if SecHashAlg == "plain":
hashPwd = password
elif SecHashAlg == "md5":
h = hashlib.md5(password)
hashPwd = "{MD5}" + b64encode(h.digest())
elif SecHashAlg == "smd5":
salt = os.urandom(4)
h = hashlib.md5(password)
h.update(salt)
hashPwd = "{SMD5}" + b64encode(h.digest() + salt)
Added shadow_ssha512, shadow_ssha256, shadow_md5 hash generate
14 years ago
elif SecHashAlg == "shadow_ssha512":
salt = self.__GenCryptSalt__(8)
hashPwd = crypt.crypt(password, "$6$%s$"%salt)
elif SecHashAlg == "shadow_ssha256":
salt = self.__GenCryptSalt__(8)
hashPwd = crypt.crypt(password, "$5$%s$"%salt)
elif SecHashAlg == "shadow_md5":
salt = self.__GenCryptSalt__(8)
hashPwd = crypt.crypt(password, "$1$%s$"%salt)
Add modules
14 years ago
elif SecHashAlg == "crypt":
salt = self.__GenCryptSalt__()
hashPwd = "{CRYPT}" + crypt.crypt(password, salt)
elif SecHashAlg == "sha":
h = hashlib.sha1(password)
hashPwd = "{SHA}" + b64encode(h.digest())
elif SecHashAlg == "ssha":
salt = os.urandom(4)
h = hashlib.sha1(password)
h.update(salt)
hashPwd = "{SSHA}" + b64encode(h.digest() + salt)
Fix work lib without py-smbpasswd. Without py-smbpasswd calculate-lib does not support crypt algoritm lm and nt.
14 years ago
elif SecHashAlg == "lm" and lmhash:
hashPwd = lmhash(password)
elif SecHashAlg == "nt" and nthash:
hashPwd = nthash(password)
Add modules
14 years ago
else:
Fix work lib without py-smbpasswd. Without py-smbpasswd calculate-lib does not support crypt algoritm lm and nt.
14 years ago
if SecHashAlg in ("lm","nt"):
Added method created CA signed certificates.
14 years ago
self.printERROR(_("ERROR") + " getHashPasswd: " +
Sync english messages with i18n.
13 years ago
(_("Failed to support '%s' crypto algorithm")
Fix work lib without py-smbpasswd. Without py-smbpasswd calculate-lib does not support crypt algoritm lm and nt.
14 years ago
%SecHashAlg) + " " + _("without py-smbpasswd"))
else:
Added method created CA signed certificates.
14 years ago
self.printERROR(_("ERROR") + " getHashPasswd: " +
Sync english messages with i18n.
13 years ago
_("Failed to support '%s' crypto algorithm")
Add modules
14 years ago
%SecHashAlg)
return False
return hashPwd
Added shadow_ssha512, shadow_ssha256, shadow_md5 hash generate
14 years ago
Added method created CA signed certificates.
14 years ago
class certificate(color_print):
sslCountry = "RU"
sslState = "Saint-Petersburg"
sslLocality = "Saint-Petersburg"
sslOrganization = "Calculate Ltd."
sslUnit = "SSL"
sslCommonName = "localhost"
sslEmail = "support@calculate.ru"
nsCertType = "server"
sslDays = 3653
sslBits = 1024
userName = "root"
fileMode = 0400
certsDir = "/var/calculate/ssl"
tmpDir = os.path.join(certsDir,"tmp")
certFile = os.path.join(tmpDir, "server.crt")
keyFile = os.path.join(tmpDir, "server.key")
csrFile = os.path.join(tmpDir, "server.csr")
CAPath = os.path.join(certsDir,"main")
CACertFileName = "CA.crt"
CAKeyFileName = "CA.key"
CACrlFileName = "CA.crl"
rCACertPath = "crt"
rCAKeyPath = "key"
rCACrlPath = "crl"
rSerialFileName = "serial"
rDatabaseFileName = "index.dat"
sslFile = "/usr/bin/openssl"
templCnfCA = """[ ca ]
default_ca = CA_default
[ CA_default ]
dir = %(CAPath)s
certs = $dir/%(rCACertPath)s
crl_dir = $dir/%(rCACrlPath)s
database = $dir/%(rDatabaseFileName)s
new_certs_dir = $dir/%(rCACertPath)s
certificate = $dir/%(rCACertFile)s
serial = $dir/%(rSerialFileName)s
crlnumber = $dir/crlnumber
crl = $dir/%(rCACrlFile)s
private_key = $dir/%(rCAKeyFile)s
RANDFILE = $dir/%(rRandFile)s
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = default
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ req ]
prompt = no
default_bits = %(sslBits)s
x509_extensions = v3_ca
string_mask = utf8only
distinguished_name = req_dn
[ req_dn ]
C = %(sslCountry)s
ST = %(sslState)s
L = %(sslLocality)s
O = %(sslOrganization)s
OU = %(sslUnit)s
CN = %(sslCommonName)s
emailAddress = %(sslEmail)s
[ cert_type ]
nsCertType = %(nsCertType)s
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
"""
templCnfData = """[ req ]
prompt = no
default_bits = %(sslBits)s
distinguished_name = req_dn
[ req_dn ]
C = %(sslCountry)s
ST = %(sslState)s
L = %(sslLocality)s
O = %(sslOrganization)s
OU = %(sslUnit)s
CN = %(sslCommonName)s
emailAddress = %(sslEmail)s
[ cert_type ]
nsCertType = %(nsCertType)s
"""
Fix path certificate.
14 years ago
templCreateKey = "%(sslFile)s genrsa -out '%(certKeyFile)s' %(sslBits)s"
Added method created CA signed certificates.
14 years ago
templCreateCert = "%(sslFile)s req -new -x509 -days %(sslDays)s "\
Fix path certificate.
14 years ago
"-config '%(cnfFile)s' -key '%(certKeyFile)s' "\
"-out '%(certFile)s'"
Added method created CA signed certificates.
14 years ago
templCreateReq = "%(sslFile)s req -new -days %(sslDays)s "\
Fix path certificate.
14 years ago
"-config '%(cnfFile)s' -key '%(certKeyFile)s' "\
"-out '%(certCsrFile)s'"
templCreateSignCert = "%(sslFile)s ca -batch -config '%(cnfFile)s' "\
"-policy policy_anything -days '%(sslDays)s' "\
"-out '%(certFile)s' -infiles '%(certCsrFile)s'"
Added method created CA signed certificates.
14 years ago
def createCnfFile(self, textCnf):
'''Generate openssl.cnf file'''
if not os.path.exists(self.sslFile):
Sync english messages with i18n.
13 years ago
self.printERROR(_("%s not found")%self.sslFile)
Added method created CA signed certificates.
14 years ago
return False
strData = time.strftime("%Y%m%d%H%M%S",time.localtime(time.time()))
cnfFileName = "%s.%s.cnf" %(strData,genpassword())
if not os.path.exists(self.tmpDir):
self._createDir(self.tmpDir)
cnfFile = os.path.join(self.tmpDir,cnfFileName)
self._createFile(cnfFile, textCnf)
return cnfFile
def checkCertificate(self, certFile):
# Проверка сертификата
Fix path certificate.
14 years ago
textLine = execProg("%s x509 -subject -fingerprint -noout -in '%s'"
Added method created CA signed certificates.
14 years ago
%(self.sslFile, certFile))
if textLine is False:
self.printERROR(_("Error checking certificate %s")%certFile)
return False
return True
def createCertificateAutority(self,sslCountry=sslCountry,
sslState=sslState,
sslLocality=sslLocality,
sslOrganization=sslOrganization,
sslUnit=sslUnit,
sslCommonName=sslCommonName,
sslEmail=sslEmail,
nsCertType=nsCertType,
sslDays=sslDays,
sslBits=sslBits,
userName=userName,
CAPath=CAPath,
CACertFileName=CACertFileName,
CAKeyFileName=CAKeyFileName,
CACrlFileName=CACrlFileName,
fileMode=fileMode,
force=False):
'''Create CA'''
rCACertFile = os.path.join(self.rCACertPath, CACertFileName)
rCAKeyFile = os.path.join(self.rCAKeyPath, CAKeyFileName)
rCACrlFile = os.path.join(self.rCACrlPath, CACrlFileName)
rRandFile = os.path.join(self.rCAKeyPath,".rnd")
CACertFile = os.path.join(CAPath, rCACertFile)
CAKeyFile = os.path.join(CAPath, rCAKeyFile)
# Cerificates exists
if not force and os.path.isfile(CACertFile) and\
os.path.isfile(CAKeyFile):
return True
# получаем id и gid пользователя
try:
pwdObj = pwd.getpwnam(userName)
except:
Sync english messages with i18n.
13 years ago
self.printERROR(_("User %s not found")%userName)
Added method created CA signed certificates.
14 years ago
return False
uid = pwdObj.pw_uid
gid = pwdObj.pw_gid
# delete certificate dir
if os.path.isdir(CAPath):
removeDir(CAPath)
# create certificate dirs
self._createDir(CAPath)
CACertPath = os.path.join(CAPath, self.rCACertPath)
CAKeyPath = os.path.join(CAPath, self.rCAKeyPath)
CACrlPath = os.path.join(CAPath, self.rCACrlPath)
for createDir in [CACertPath, CAKeyPath, CACrlPath]:
self._createDir(createDir)
# save serial number
SerialFile = os.path.join(CAPath, self.rSerialFileName)
self._createFile(SerialFile, "01\n")
# create database file
DatabaseFile = os.path.join(CAPath, self.rDatabaseFileName)
self._createFile(DatabaseFile, "")
textCnf = self.templCnfCA%{'CAPath':CAPath,
'rCACertPath':self.rCACertPath,
'rCACrlPath':self.rCACrlPath,
'rDatabaseFileName':self.rDatabaseFileName,
'rCACertFile':rCACertFile,
'rSerialFileName':self.rSerialFileName,
'rCACrlFile':rCACrlFile,
'rCAKeyFile':rCAKeyFile,
'rRandFile':rRandFile,
'sslBits':sslBits,
'sslCountry':sslCountry,
'sslState':sslState,
'sslLocality':sslLocality,
'sslOrganization':sslOrganization,
'sslUnit':sslUnit,
'sslCommonName':sslCommonName,
'sslEmail':sslEmail,
'nsCertType':nsCertType}
cnfFile = self.createCnfFile(textCnf)
if cnfFile is False:
return False
# generate CA RSA key
execStr = self.templCreateKey%{'sslFile':self.sslFile,
'certKeyFile':CAKeyFile,
'sslBits':sslBits}
if execProg(execStr) is False:
self.printERROR(_("Can not execute '%s'")%execStr)
return False
if os.path.exists(CAKeyFile):
os.chown(CAKeyFile, uid,gid)
os.chmod(CAKeyFile, fileMode)
# create CA
execStr = self.templCreateCert%{'sslFile':self.sslFile,
'sslDays':sslDays,
'cnfFile':cnfFile,
'certKeyFile':CAKeyFile,
'certFile':CACertFile}
if execProg(execStr) is False:
self.printERROR(_("Can not execute '%s'")%execStr)
return False
if os.path.exists(CACertFile):
os.chown(CACertFile, uid,gid)
os.chmod(CACertFile, fileMode)
if os.path.exists(cnfFile):
os.remove(cnfFile)
# check certificate
return self.checkCertificate(CACertFile)
def createSignedCertificate(self,
sslCountry=sslCountry,
sslState=sslState,
sslLocality=sslLocality,
sslOrganization=sslOrganization,
sslUnit=sslUnit,
sslCommonName=sslCommonName,
sslEmail=sslEmail,
nsCertType=nsCertType,
sslDays=sslDays,
sslBits=sslBits,
userName=userName,
CAPath=CAPath,
CACertFileName=CACertFileName,
CAKeyFileName=CAKeyFileName,
CACrlFileName=CACrlFileName,
certFile=certFile,
fileMode=fileMode,
keyFile=keyFile,
csrFile=csrFile,
force=False):
'''Create signed CA certificate'''
certAndKeyFiles = [certFile, keyFile, csrFile]
foundCertFiles = map(lambda x: os.path.exists(x), certAndKeyFiles)
if not force and foundCertFiles[0] and foundCertFiles[1]:
return True
foundCertFiles = map(lambda x: x[1], filter(lambda x: x[0],
zip(foundCertFiles, certAndKeyFiles)))
# Удаляем файлы
map(lambda x: os.remove(x), foundCertFiles)
# получаем id и gid пользователя
try:
pwdObj = pwd.getpwnam(userName)
except:
Sync english messages with i18n.
13 years ago
self.printERROR(_("User %s not found")%userName)
Added method created CA signed certificates.
14 years ago
return False
uid = pwdObj.pw_uid
gid = pwdObj.pw_gid
# create dirs
for fileName in certAndKeyFiles:
dirName = os.path.split(fileName)[0]
if not os.path.exists(dirName):
self._createDir(dirName, uid=uid, gid=gid)
rCACertFile = os.path.join(self.rCACertPath, CACertFileName)
rCAKeyFile = os.path.join(self.rCAKeyPath, CAKeyFileName)
rCACrlFile = os.path.join(self.rCACrlPath, CACrlFileName)
rRandFile = os.path.join(self.rCAKeyPath,".rnd")
textCnf = self.templCnfCA%{'CAPath':CAPath,
'rCACertPath':self.rCACertPath,
'rCACrlPath':self.rCACrlPath,
'rDatabaseFileName':self.rDatabaseFileName,
'rCACertFile':rCACertFile,
'rSerialFileName':self.rSerialFileName,
'rCACrlFile':rCACrlFile,
'rCAKeyFile':rCAKeyFile,
'rRandFile':rRandFile,
'sslBits':sslBits,
'sslCountry':sslCountry,
'sslState':sslState,
'sslLocality':sslLocality,
'sslOrganization':sslOrganization,
'sslUnit':sslUnit,
'sslCommonName':sslCommonName,
'sslEmail':sslEmail,
'nsCertType':nsCertType}
cnfFile = self.createCnfFile(textCnf)
if cnfFile is False:
return False
# generate RSA key
execStr = self.templCreateKey%{'sslFile':self.sslFile,
'certKeyFile':keyFile,
'sslBits':sslBits}
if execProg(execStr) is False:
self.printERROR(_("Can not execute '%s'")%execStr)
return False
if os.path.exists(keyFile):
os.chown(keyFile, uid,gid)
os.chmod(keyFile, fileMode)
# generate request
execStr = self.templCreateReq%{'sslFile':self.sslFile,
'sslDays':sslDays,
'cnfFile':cnfFile,
'certKeyFile':keyFile,
'certCsrFile':csrFile}
if execProg(execStr) is False:
self.printERROR(_("Can not execute '%s'")%execStr)
return False
if os.path.exists(csrFile):
os.chown(csrFile, uid,gid)
os.chmod(csrFile, fileMode)
# set database attribute
databaseAttrFileName = os.path.join(CAPath, "index.dat.attr")
self._createFile(databaseAttrFileName, "unique_subject = no\n")
# generate signed cerificate
execStr = self.templCreateSignCert%{'sslFile':self.sslFile,
'sslDays':sslDays,
'cnfFile':cnfFile,
'certFile':certFile,
'certCsrFile':csrFile}
if execProg(execStr) is False:
self.printERROR(_("Can not execute '%s'")%execStr)
return False
if os.path.exists(certFile):
os.chown(certFile, uid,gid)
os.chmod(certFile, fileMode)
if os.path.exists(cnfFile):
os.remove(cnfFile)
# check certificate
return self.checkCertificate(certFile)
def createCertificate(self,
sslCountry=sslCountry,
sslState=sslCountry,
sslLocality=sslLocality,
sslOrganization=sslOrganization,
sslUnit=sslUnit,
sslCommonName=sslCommonName,
sslEmail=sslEmail,
nsCertType=nsCertType,
sslDays=sslDays,
sslBits=sslBits,
userName=userName,
certFile=certFile,
fileMode=fileMode,
keyFile=keyFile):
Add modules
14 years ago
"""Создает сертификат"""
certAndKeyFiles = [certFile, keyFile]
foundCertFiles = filter(lambda x: os.path.exists(x), certAndKeyFiles)
if len(foundCertFiles)==2:
return True
# Удаляем файл сертификата
map(lambda x: os.remove(x), foundCertFiles)
# получаем id и gid пользователя
Bugfix encrypt module
14 years ago
try:
pwdObj = pwd.getpwnam(userName)
except:
Sync english messages with i18n.
13 years ago
self.printERROR(_("User %s not found")%userName)
Add modules
14 years ago
return False
Bugfix encrypt module
14 years ago
uid = pwdObj.pw_uid
gid = pwdObj.pw_gid
Added method created CA signed certificates.
14 years ago
textCnf=self.templCnfData%{'sslBits':sslBits,
'sslCountry':sslCountry,
'sslState':sslState,
'sslLocality':sslLocality,
'sslOrganization':sslOrganization,
'sslUnit':sslUnit,
'sslCommonName':sslCommonName,
'sslEmail':sslEmail,
'nsCertType':nsCertType}
cnfFile = self.createCnfFile(textCnf)
if cnfFile is False:
Add modules
14 years ago
return False
# Cоздание директорий
for fileName in certAndKeyFiles:
dirName = os.path.split(fileName)[0]
if not os.path.exists(dirName):
Added method created CA signed certificates.
14 years ago
self._createDir(dirName, uid=uid, gid=gid)
Add modules
14 years ago
# Создание сертификата
Fix path certificate.
14 years ago
textLine = execProg("%s req -new -x509 -nodes -config '%s'"
"-days %s -out '%s'-keyout '%s'"
%(self.sslFile, cnfFile, sslDays, certFile,
keyFile))
Added method created CA signed certificates.
14 years ago
if textLine is False:
Sync english messages with i18n.
13 years ago
self.printERROR(_("Failed to create certificate %s")%certFile)
Added method created CA signed certificates.
14 years ago
return False
Add modules
14 years ago
# Удаление конфигурационного файла
if os.path.exists(cnfFile):
os.remove(cnfFile)
# Меняем права
if os.path.exists(certFile):
os.chown(certFile, uid,gid)
Added method created CA signed certificates.
14 years ago
os.chmod(certFile, fileMode)
Add modules
14 years ago
if os.path.exists(keyFile):
os.chown(keyFile, uid,gid)
Added method created CA signed certificates.
14 years ago
os.chmod(keyFile, fileMode)
return self.checkCertificate(certFile)
Bugfix encrypt module
14 years ago
Added method created CA signed certificates.
14 years ago
def _createDir(self, dirName, uid=0, gid=0, mode=0700):
Bugfix encrypt module
14 years ago
"""Создание пользовательской директории"""
if not os.path.exists(dirName):
os.makedirs(dirName)
if mode:
os.chmod(dirName,mode)
os.chown(dirName,uid,gid)
return True
else:
self.printERROR(_("Path %s exists") %dirName)
return False
Added method created CA signed certificates.
14 years ago
def _createFile(self, fileName, fileTxt, uid=0, gid=0, mode=0600):
Bugfix encrypt module
14 years ago
"""Создает пользовательский файл с содержимым
Если директория файла не существует то ошибка
"""
dirName = os.path.split(fileName)[0]
if not os.path.exists(dirName):
Sync english messages with i18n.
13 years ago
self.printERROR(_("Path %s does not exist") %dirName)
Bugfix encrypt module
14 years ago
return False
fd = os.open(fileName, os.O_CREAT)
os.close(fd)
Bugfix (file mode).
14 years ago
os.chmod(fileName, 0600)
Bugfix encrypt module
14 years ago
os.chown(fileName,uid,gid)
if fileTxt:
FD = open(fileName, "r+")
FD.write(fileTxt)
FD.close()
Added method created CA signed certificates.
14 years ago
os.chmod(fileName, mode)
Bugfix encrypt module
14 years ago
return True
Added LDAP variables.
14 years ago
def getHash(password, encr):
"""Получить хеш пароля
password - пароль
encr - алгоритм шифрования, например 'ssha'
"""
encryptObj = encrypt()
hashPwd = encryptObj.getHashPasswd(password, encr.lower())
if hashPwd:
return hashPwd
else:
encryptObj.printERROR(_("Error encrypt password, "
"method getHash()"))
cl_overriding.exit(1)