calculate
/
calculate-utils-3-core
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '940b125820'
${ noResults }
calculate-utils-3-core/pym/core/server/cert_cmd.py

1252 lines
44 KiB
Raw Blame History

# -*- coding: utf-8 -*-
# Copyright 2012-2016 Mir Calculate. http://www.calculate-linux.org
#
# Job with Command Line and Certificates
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import print_function
from __future__ import absolute_import
import os
import glob
import socket
import subprocess
import hashlib
import sys
from .func import new_key_req, uniq
from calculate.lib.utils import ip as ip
from calculate.core.datavars import DataVarsCore
from calculate.lib.utils.files import readFile
from calculate.lib.utils.text import _u8
import urllib.request as u2
if hasattr(u2, "ssl"):
u2.ssl._create_default_https_context = u2.ssl._create_unverified_context
_ = lambda x: x
from calculate.lib.cl_lang import setLocalTranslate
setLocalTranslate('cl_core3', sys.modules[__name__])
def getIpLocal():
for interface in ip.getInterfaces():
return ip.getIp(interface)
else:
return ""
def getHwAddr():
""" get MAC adress for interface """
for interface in ip.getInterfaces():
return ip.getMac(interface)
else:
return ""
# method for generating server certificates
def check_server_certificate(cert, key, cert_path, args, port, auto=False):
if not os.path.isdir(cert_path):
os.makedirs(cert_path)
# generate a root certificate
if args.gen_root_cert:
if auto:
c = 'n'
else:
c = raw_input(_("Enter the certificate date manually? [y]/n: "))
from M2Crypto import X509
name = X509.X509_Name()
ob = DataVarsCore()
ob.importCore()
if not ob.flIniFile():
sys.exit(1)
lang = ob.Get('os_locale_locale')[:2]
host_name = socket.getfqdn()
from .create_cert import (passphrase_callback, generateRSAKey,
makePKey, CreateCertError, create_selfsigned_ca)
# Generating public key
rsa = generateRSAKey()
rsa.save_key(cert_path + '/root.key' + '_pub', cipher=None,
callback=passphrase_callback)
# Generating private key
pkey = makePKey(rsa)
pkey.save_key(cert_path + '/root.key', cipher=None,
callback=passphrase_callback)
name = {}
if c.lower() in ['n', 'no']:
name['CN'] = host_name # (Common Name);
name['OU'] = 'www.calculate-linux.ru' # (Organization Unit);
name['O'] = 'calculate-linux' # (Organization Name);
name['L'] = host_name + ':' + str(port) # (Locality Name);
name['ST'] = 'Spb' # (State Name);
name['C'] = lang # (Country);
else:
print(_('Do not use spaces or tabs.'))
host_name = socket.getfqdn()
name['CN'] = raw_input(_('Hostname [%s] : ') % host_name)
if name['CN'] in ['', None]:
name['CN'] = host_name
name['OU'] = raw_input(_('Organization unit: '))
if not name['OU']:
name['OU'] = ''
else:
name['OU'] = name['OU'].replace(' ', '_').replace('\t', '_')
name['O'] = raw_input(_('Organization name: '))
if not name['O']:
name['O'] = ''
else:
name['O'] = name['O'].replace(' ', '_').replace('\t', '_')
network = _('Full network address (host:port)')
name['L'] = raw_input(network + ' [%s:%d]: ' % (host_name, port))
if name['L'] in ['', None]:
name['L'] = host_name + ':' + str(port)
name['ST'] = raw_input(_('City: '))
if not name['ST']:
name['ST'] = ''
else:
name['ST'] = name['ST'].replace(' ', '_').replace('\t', '_')
name['C'] = raw_input(_('Country (two letters only!) [%s]: ') % lang)
if not name['C']:
name['C'] = lang
try:
create_selfsigned_ca(name, cert_path + '/root.key', cert_path + '/root.crt')
except CreateCertError:
print (_('Failed to create root certificate'))
# add certificate in trusted
try:
with open(cert_path + '/root.crt', 'r') as fd_r:
with open(cert_path + '/ca_root.crt', 'a') as fd_w:
fd_w.write(fd_r.read())
except IOError:
print (_('error writing to (reading from) files in directory %s')
% cert_path)
print(_("OK"))
# use self root certificate as server certificate
elif args.use_root_cert:
if not os.path.exists(cert_path + '/root.crt'):
print(_('root certificate not found (use cl-core with '
'option --gen-root-cert)'))
return 1
print(_('Using the root certificate as the server certificate'))
# use root certificate as server certificate
ft = open(cert_path + '/root.crt', 'rb')
fd = open(cert_path + '/server.crt', 'wb')
ft.seek(0)
fd.write(ft.read())
ft.close()
fd.close()
ft = open(cert_path + '/root.key', 'rb')
fd = open(cert_path + '/server.key', 'wb')
ft.seek(0)
fd.write(ft.read())
ft.close()
fd.close()
print(_("OK"))
return 0
# send a certificate signing request to another server
elif args.host:
url = "https://%s:%d/?wsdl" % (args.host, port)
print(url + '\n' + _("connecting..."))
import calculate.contrib
from suds.client import Client
from .client_class import HTTPSClientsCertTransport
from urllib.error import URLError
try:
client = Client(url, transport=HTTPSClientsCertTransport(
None, None, None))
except (KeyboardInterrupt, URLError):
print('\n' + _("Close. Connection Error."))
return 1
serv_host_name = client.service.get_server_host_name()
if os.path.exists(key) and os.path.exists(cert_path + '/server.csr'):
print(_("the private key and request now exist"))
ask = raw_input(_("Create a new private key and request?") +
" y/[n]: ")
if ask.lower() in ['y', 'yes']:
new_key_req(key, cert_path, serv_host_name, port)
else:
new_key_req(key, cert_path, serv_host_name, port)
local_ip = getIpLocal()
mac = getHwAddr()
data = readFile(cert_path + '/server.csr')
res = client.service.post_server_request(request=data, ip=local_ip,
mac=mac)
if int(res) < 0:
print(_("This server is not enabled to sign certificates!"))
return 1
with open(cert_path + '/req_id', 'w') as fc:
fc.write(res)
print(_("Your request ID = %s") % _u8(res))
return 0
# get a signed certificate from another server
elif args.root_host:
if not os.path.exists(cert_path + '/req_id'):
print (_("request not sent or file %s deleted")
% (cert_path + '/req_id'))
return 1
req_id = readFile(cert_path + '/req_id')
url = "https://%s:%d/?wsdl" % (args.root_host, port)
print(url + '\n' + _("connecting..."))
import calculate.contrib
from suds.client import Client
from .client_class import HTTPSClientsCertTransport
try:
client = Client(
url, transport=HTTPSClientsCertTransport(None, None, None))
except KeyboardInterrupt:
print('\n' + _("Close. Connection Error."))
return 1
request = readFile(cert_path + '/server.csr')
md5 = hashlib.md5()
md5.update(request)
md5sum = md5.hexdigest()
result = client.service.get_server_cert(req_id, md5sum)
cert = result[0][0]
if cert == '1':
print(_('The signature request was rejected!'))
return 1
elif cert == '2':
print(_("The signature request has not been examined yet."))
print(_("Your request ID = %s") % req_id)
return 1
elif cert == '3':
print(_('The signature request does not match earlier data.'))
return 1
elif cert == '4':
print(_("The request was sent from another IP."))
return 1
with open(cert_path + '/server.crt', 'w') as fc:
fc.write(cert)
ca_root = result[0][1]
os.unlink(cert_path + '/req_id')
print(_('Certificate saved. Your certificate ID = %s') % req_id)
with open(cert_path + '/ca_root.crt', 'w') as fd:
if ca_root:
fd.write(ca_root)
# fd.write(cert)
if os.path.exists(cert_path + '/ca_root.crt'):
fd.write(readFile(cert_path + '/ca_root.crt'))
return 0
def create_path(data_path, certbase, rights, group_rights, local_data_path):
if not os.path.exists(certbase):
if not os.path.exists(data_path + '/client_certs'):
try:
os.makedirs(data_path + '/client_certs')
except OSError:
print (_("cannot create directory %s")
% (data_path + '/client_certs'))
open(certbase, 'w').close()
if not os.path.exists(data_path + '/conf'):
try:
os.makedirs(data_path + '/conf')
except OSError:
print(_("cannot create directory %s") % (data_path + '/conf'))
if not os.path.exists(local_data_path + '/conf'):
try:
os.makedirs(local_data_path + '/conf')
except OSError:
print(_("cannot create directory %s") % (local_data_path + '/conf'))
if not os.path.isfile(rights):
rights_text = '# example of content:\n' + \
'# certificate number 2 has right to run method ' + \
'"pid_info", and the certificate\n' + \
'# number 1 does not have rights. Use key --right-add ' + \
'and --right-del. See man.\n' + \
'#pid_info 2 -1\n'
fr = open(rights, 'w')
fr.write(rights_text)
fr.close()
if not os.path.isfile(group_rights):
group_rights_text = ('# example of content:\n'
'#manager pid_info,list_pid,cl_template,install\n'
'system_update update,setupsystem,configure')
fgr = open(group_rights, 'w')
fgr.write("%s\n"%group_rights_text)
fgr.close()
# if not os.path.exists(data_path+'/server_certs/CRL'):
# open(data_path+'/server_certs/CRL', 'w')
# find a id by certificate
def find_cert_id(certificate, data_path, certbase):
# Open database
if not os.path.exists(certbase):
if not os.path.exists(data_path + '/client_certs'):
try:
os.makedirs(data_path + '/client_certs')
except OSError:
print (_("cannot create directory %s")
% (data_path + '/client_certs'))
pass
temp = open(certbase, 'w')
temp.close()
md5 = hashlib.md5()
md5.update(certificate)
md5sum = md5.hexdigest()
cert_id = []
with open(certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
if len(words) > 1:
# if in line present certificate id
if words[1] == md5sum:
cert_id.append(words[0])
cert_path = data_path + '/client_certs/'
for certId in cert_id:
if os.path.isfile(cert_path + certId + '.crt'):
fp = open(cert_path + certId + '.crt', 'r')
cert = fp.read()
fp.close()
else:
cert = 'no cert'
if certificate == cert:
return certId
return 0
# find a certificate by id
def find_id_cert(cert_id, data_path):
cert_file = data_path + '/client_certs/%s.crt' % str(cert_id)
if os.path.exists(cert_file):
fp = open(cert_file, 'r')
cert = fp.read()
fp.close()
return cert
return 0
# delete selected clients certificate
def del_cert(certbase, data_path, cert_id):
cert_id = str(cert_id)
ft = open(certbase + '_temp', 'w')
with open(certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
# if in line present certificate id
if not words[0] == cert_id:
ft.write(line + '\n')
ft.close()
fd.close()
ft = open(certbase + '_temp', 'rb')
fc = open(certbase, 'wb')
ft.seek(0)
fc.write(ft.read())
ft.close()
fc.close()
os.unlink(certbase + '_temp')
try:
os.unlink(data_path + '/client_certs/' + cert_id)
except OSError:
print(_("failed to delete the certificate!"))
def add_right(cert_id, method, rights):
ft = open(rights + "_temp", 'w')
# open file with rights
find_perm_flag = False
with open(rights) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
if not line:
continue
flag = 0
# and each word in line
words = line.split()
if words[0] == method:
find_perm_flag = True
for word in words:
# if in line present certificate id
if cert_id == word:
flag = 1
if '-' + cert_id == word:
line = line.replace(' ' + word, '')
if not flag:
line += "%s " % cert_id
print("id %s - add %s" % (cert_id, method))
ft.write(line + '\n')
fd.close()
if not find_perm_flag:
ft.write('%s %s \n' % (method, str(cert_id)))
print("id %s - add %s" % (cert_id, method))
ft.close()
# copy all from temp file
ft = open(rights + '_temp', 'rb')
fd = open(rights, 'wb')
ft.seek(0)
fd.write(ft.read())
ft.close()
fd.close()
# delete temp file
os.unlink(rights + '_temp')
def del_right(cert_id, method, rights):
ft = open(rights + "_temp", 'w')
find_perm_flag = False
# open file with rights
with open(rights) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
flag = 0
# and each word in line
words = line.split()
if words[0] == method:
find_perm_flag = True
for word in words:
# if in line present certificate id
if '-' + cert_id == word:
flag = 1
if cert_id == word:
line = line.replace(' ' + word, '')
if not flag:
line += "-%s " % cert_id
print("id %s - remove %s" % (cert_id, method))
ft.write(line + '\n')
fd.close()
if not find_perm_flag:
ft.write('%s -%s \n' % (method, str(cert_id)))
print("id %s - remove %s" % (cert_id, method))
ft.close()
# copy all from temp file
ft = open(rights + '_temp', 'rb')
fd = open(rights, 'wb')
ft.seek(0)
fd.write(ft.read())
ft.close()
fd.close()
# delete temp file
os.unlink(rights + '_temp')
# add or delete rights a selected certificate
def change_rights_cert(cert_id, right_add, right_del,
rights, group_rights, certbase):
list_id = []
if not cert_id == 'all':
try:
int(cert_id)
list_id.append(cert_id)
except ValueError:
ls_id = cert_id.split(',')
try:
for i in ls_id:
int(i)
list_id.append(i)
except ValueError:
print(_('to change permissions, the certificate number must '
'be integer'))
return 1
elif cert_id == 'all':
with open(certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
# if in line present certificate id
list_id.append(words[0])
for cert_id in list_id:
cert_id = str(cert_id)
if right_add:
if not os.path.exists(rights):
print(_('file %s not found!') % rights)
return 1
ls_rig_add = right_add.split(',')
for meth in ls_rig_add:
add_right(cert_id, meth, rights)
if right_del:
if not os.path.exists(rights):
print(_('file %s not found!') % rights)
return 1
ls_rig_del = right_del.split(',')
for meth in ls_rig_del:
del_right(cert_id, meth, rights)
# Detailed view clients certificates
def view_cert_info(cert, cert_id, rights, group_rights):
import OpenSSL
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM, cert)
print(certobj.get_extension(certobj.get_extension_count() - 1))
print(_("Fingerprint = "), certobj.digest('SHA1'))
print(_("Serial number = "), certobj.get_serial_number())
issuer = certobj.get_issuer().get_components()
print('\n' + _("Issuer"))
for i in issuer:
print(" %s : %s" % (i[0], i[1]))
subject = certobj.get_subject().get_components()
print('\n' + _("Subject"))
for item in subject:
print(" %s : %s" % (item[0], item[1]))
print('\n' + _("Permissions: "))
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM, cert)
com = certobj.get_extension(certobj.get_extension_count() - 1).get_data()
groups = com.split(':')[1]
groups_list = groups.split(',')
results = []
if not os.path.exists(group_rights):
open(group_rights, 'w').close()
with open(group_rights) as fd:
t = fd.read()
fd.close()
for line in t.splitlines():
if not line:
continue
words = line.split(' ', 1)
# first word in line equal name input method
if words[0] in groups_list:
methods = words[1].split(',')
for i in methods:
results.append(i.strip())
results = uniq(results)
add_list_rights = []
del_list_rights = []
with open(rights) as fr:
t = fr.read()
for line in t.splitlines():
words = line.split()
meth = words[0]
for word in words:
try:
word = int(word)
except ValueError:
continue
# compare with certificat number
if cert_id == word:
# if has right
add_list_rights.append(meth)
if cert_id == -word:
del_list_rights.append(meth)
if 'all' in groups_list:
sys.stdout.write(' ' + _('all methods'))
sys.stdout.flush()
if del_list_rights:
sys.stdout.write(_(', except:') + '\n')
sys.stdout.flush()
for meth in del_list_rights:
print(' ' + meth)
return
results += add_list_rights
results = uniq(results)
for method in results:
if method in del_list_rights:
results.remove(method)
if not results:
print(_("No methods available"))
else:
for meth in results:
print(' ' + meth)
# View, change rights, delete clients certificates on server
def view_cert(args, certbase, data_path, rights, group_rights):
cert_id = args.Id
dump = args.dump
remove = args.remove
right_add = args.right_add
right_del = args.right_del
for i in [right_add, right_del]:
if i:
change_rights_cert(cert_id, right_add, right_del,
rights, group_rights, certbase)
return 0
if not os.path.exists(certbase):
fc = open(certbase, "w")
fc.close()
if cert_id == 'all':
count = 0
with open(certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
count += 1
cert = find_id_cert(words[0], data_path)
if cert == 0:
count -= 1
continue
print(_("Certificate ID = %s") % words[0])
if dump:
cert = find_id_cert(words[0], data_path)
if cert == 0:
count -= 1
continue
view_cert_info(cert, words[0], rights, group_rights)
print("#############################################\n")
print(_("Total: %d certificates.") % count)
if remove:
answer = raw_input(
_("Are you sure? Delete all client certificates?") + ' y/[n]: ')
if answer.lower() in ['y', 'yes']:
fc = open(certbase, "w")
fc.close()
return 0
try:
cert_id = int(cert_id)
except ValueError:
print(_("certificate number not int and not 'all'"))
return 1
cert = find_id_cert(cert_id, data_path)
if not cert:
print(_("Certificate not found"))
return 1
if dump:
print(cert)
else:
view_cert_info(cert, cert_id, rights, group_rights)
if remove:
answer = raw_input(
_("Delete the client certificate with ID %d? y/[n]: ") % cert_id)
if answer.lower() in ['y', 'yes']:
del_cert(certbase, data_path, cert_id)
print(_("Deleted"))
return 0
# Sign client request by server certificate
def sing_req_by_server(id_client_req, cert_path, data_path, auto=False,
group_name="all"):
server_cert = cert_path + '/root.crt'
server_key = cert_path + '/root.key'
if id_client_req:
try:
int(id_client_req)
except ValueError:
print(_("The certificate number must be int"))
return 1
cl_req = data_path + '/client_certs/%s.csr' % id_client_req
cl_cert = data_path + '/client_certs/%s.crt' % id_client_req
if not os.path.exists(cl_req):
print(_("Signature request %s not found") % cl_req)
return 1
if os.path.exists(cl_cert):
print(_("Certificate %s now exists") % cl_cert)
return 1
if not auto:
group_name = ""
while not group_name.split():
group_name = "%s" % raw_input(
_("Enter the group of the new certificate "
"(group name or 'all'): "))
config = data_path + '/client_certs/ssl-client.cfg'
if os.path.exists(config):
os.unlink(config)
from .create_cert import (sign_client_certifacation_request,
CreateCertError)
try:
sign_client_certifacation_request(
server_key, server_cert, cl_req, cl_cert, group_name)
except CreateCertError:
print (_('Failed to sign client certificate'))
# print 'startdate = ', startdate
# cfg_text = (#"[ ssl_client ]\n"
# "basicConstraints = CA:FALSE\n"
# "nsCertType = client\n"
# "keyUsage = digitalSignature, keyEncipherment\n"
# "extendedKeyUsage = clientAuth\n"
# "nsComment = %s\n" %group)
# print 'config = ', cfg_text
# fc = open(config, 'w')
# fc.write(cfg_text)
# fc.close()
# cmd=("openssl x509 -req -days 11000 -CA %s -CAkey %s -CAcreateserial "
# "-extfile %s -extensions ssl_client -in %s -out %s") \
# %(server_cert, server_key, config, cl_req, cl_cert)
# print cmd
# PIPE = subprocess.PIPE
# p = subprocess.Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE,
# stderr=subprocess.STDOUT, close_fds=True)
# p.wait()
if os.path.exists(cl_cert):
print(_("Certificate %s is signed") % cl_cert)
else:
print(_("Certificate %s has not been signed") % cl_cert)
return 0
# Sign server request by root certificate
def sing_req_by_root(args, cert_path, data_path):
root_cert = cert_path + '/root.crt'
root_key = cert_path + '/root.key'
if not os.path.exists(root_cert) or not os.path.exists(root_key):
print(_("Root certificate or private key not found"))
print(_("see %s") % cert_path)
return 1
if args.id_server_req:
try:
int(args.id_server_req)
except ValueError:
print(_("The certificate number must be int"))
return 1
sign_req = data_path + '/server_certs/%s.csr' % args.id_server_req
sign_cert = data_path + '/server_certs/%s.crt' % args.id_server_req
if not os.path.exists(sign_req):
print(_("Signature request %s not found") % sign_req)
return 1
if os.path.exists(sign_cert):
print(_("Certificate %s now exists") % sign_cert)
return 1
# config = cert_path + '/ssl-server-ca.cfg'
# if not os.path.exists(config):
# cfg_text = ("[ ssl_server_ca ]\nsubjectKeyIdentifier=hash\n"
# "authorityKeyIdentifier = keyid, issuer\n"
# "basicConstraints = CA:true\n"
# "nsCertType = server\n"
# "keyUsage = keyCertSign, digitalSignature, keyEncipherment, "
# "cRLSign, nonRepudiation\n"
# "extendedKeyUsage = serverAuth, clientAuth, nsSGC, msSGC")
# fc = open(config, 'w')
# fc.write(cfg_text)
# fc.close()
# cmd=("openssl x509 -req -days 11000 -CA %s -CAkey %s -CAcreateserial "
# "-extfile %s -extensions ssl_server_ca -in %s -out %s") \
# %(root_cert, root_key, config, sign_req, sign_cert)
cmd = ("openssl x509 -req -days 11000 -CA %s -CAkey %s -CAcreateserial "
"-in %s -out %s") % (root_cert, root_key, sign_req, sign_cert)
print(cmd)
PIPE = subprocess.PIPE
p = subprocess.Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE,
stderr=subprocess.STDOUT, close_fds=True)
p.wait()
print(_("Certificate %s is signed") % sign_cert)
return 0
# Detailed view server signed certificates
def view_signed_cert_info(cert_id, serv_certbase, data_path, mid_path):
cert_file = data_path + '/%s/%d.crt' % (mid_path, cert_id)
print(cert_file)
import OpenSSL
if os.path.exists(cert_file):
fp = open(cert_file, 'r')
cert = fp.read()
fp.close()
certobj = OpenSSL.crypto.load_certificate(
OpenSSL.SSL.FILETYPE_PEM, cert)
if mid_path == 'client_certs':
print(certobj.get_extension(certobj.get_extension_count() - 1))
print(_("Fingerprint = "), certobj.digest('SHA1'))
print(_("Serial number = "), certobj.get_serial_number())
issuer = certobj.get_issuer().get_components()
print('\n' + _("Issuer"))
for i in issuer:
print("%s : %s" % (i[0], i[1]))
subject = certobj.get_subject().get_components()
print('\n' + _("Subject"))
for item in subject:
print("%s : %s" % (item[0], item[1]))
if not os.path.exists(serv_certbase):
fc = open(serv_certbase, "w")
fc.close()
with open(serv_certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
# if in line present certificate id
if words[0] == str(cert_id):
print('\n' + _('request sent from:'))
print('IP: %s' % words[4])
print('MAC: %s' % words[5])
print(_('date') + ' - %s %s' % (words[2], words[3]))
break
else:
print(_("Certificate not found!"))
print("\n###################################################\n")
# Detailed view server request
req_file = data_path + '/%s/%d.csr' % (mid_path, cert_id)
print(req_file)
if os.path.exists(req_file):
fp = open(req_file, 'r')
request = fp.read()
fp.close()
reqobj = OpenSSL.crypto.load_certificate_request(
OpenSSL.SSL.FILETYPE_PEM, request)
subject = reqobj.get_subject().get_components()
print('\n' + _("Subject"))
for item in subject:
print(" %s : %s" % (item[0], item[1]))
if not os.path.exists(serv_certbase):
fc = open(serv_certbase, "w")
fc.close()
with open(serv_certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
# if in line present certificate id
if words[0] == str(cert_id):
print('\n' + _('request sent from:'))
print('IP: %s' % words[4])
print('MAC: %s' % words[5])
print(_('date') + ' - %s %s' % (words[2], words[3]))
break
else:
print(_("Request for signature not found!"))
return 0
# view servers signed certificates
def view_signed_cert(args, serv_certbase, data_path):
cert_id = args.cert_id
# dump = args.dump
# remove = args.remove
if cert_id == 'all':
if not os.path.exists(serv_certbase):
fc = open(serv_certbase, "w")
fc.close()
count = 0
with open(serv_certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
cert = '%s/server_certs/%s.crt' % (data_path, words[0])
req = '%s/server_certs/%s.csr' % (data_path, words[0])
if os.path.exists(cert):
print('Certificate \t', cert)
count += 1
if os.path.exists(req):
if not os.path.exists(cert):
print(_('Request \t%s: not signed') % req)
else:
print(_('Request \t%s') % req)
count += 1
if not count:
print(_("Certificate or request not found!"))
return 0
try:
cert_id = int(cert_id)
except ValueError:
print(_("certificate (request) number not int and not 'all'"))
return 1
view_signed_cert_info(cert_id, serv_certbase, data_path, 'server_certs')
return 0
# View clients requests on server
def view_client_request(args, client_certbase, data_path):
req_id = args.req_id
if req_id == 'all':
if not os.path.exists(client_certbase):
fc = open(client_certbase, "w")
fc.close()
count = 0
with open(client_certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
cert = '%s/client_certs/%s.crt' % (data_path, words[0])
req = '%s/client_certs/%s.csr' % (data_path, words[0])
if os.path.exists(cert):
print(_('Certificate \t'), cert)
count += 1
if os.path.exists(req):
if not os.path.exists(cert):
print(_('Request \t%s: not signed') % req)
else:
print(_('Request \t%s') % req)
count += 1
if not count:
print(_("Certificate or request not found!"))
return 0
try:
req_id = int(req_id)
except ValueError:
print(_("certificate (request) number not int and not 'all'"))
return 1
view_signed_cert_info(req_id, client_certbase, data_path, 'client_certs')
return 0
# refuse to sign request
def del_request(id_del_serv_req, id_del_client_req, serv_certbase,
client_certbase, data_path):
if id_del_serv_req:
sub_path = 'server_certs'
id_del_req = id_del_serv_req
certbase = serv_certbase
else:
sub_path = 'client_certs'
id_del_req = id_del_client_req
certbase = client_certbase
try:
int(id_del_req)
except ValueError:
print(_("The ID must be int."))
return 1
request = os.path.join(data_path, sub_path, '%s.csr' % id_del_req)
cert = os.path.join(data_path, sub_path, '%s.crt' % id_del_req)
# chect exists request and certificate files
print(request)
if not os.path.exists(request) and not os.path.exists(cert):
print(_("Request or certificate with ID = %s not found!") % id_del_req)
return 1
if not os.path.exists(request):
print(_("request %s not found!") % request)
if os.path.exists(cert):
print(_("Request duly signed"))
ask = raw_input(
_("Delete the certificate and the signature request? y/[n]: "))
if not ask.lower() in ['y', 'yes']:
print(_("Not deleted"))
return 0
# create temp file
if not os.path.isfile(certbase):
fd = open(certbase, 'w')
fd.close()
ft = open(certbase + '_temp', 'w')
with open(certbase) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
# and each word in line
words = line.split()
# if in line present certificate id
if not words[0] == id_del_req:
ft.write(line + '\n')
ft.close()
fd.close()
ft = open(certbase + '_temp', 'rb')
fc = open(certbase, 'wb')
ft.seek(0)
fc.write(ft.read())
ft.close()
fc.close()
os.unlink(certbase + '_temp')
try:
if os.path.exists(request):
os.unlink(request)
print(_("signature request deleted"))
if os.path.exists(cert):
os.unlink(cert)
print(_("certificate deleted"))
except OSError:
print(_("failed to delete the file!"))
def revoke_signed_cert(revoke_cert_id, data_path, cert_path):
CRL = data_path + '/server_certs/ca.crl'
CRL_mid_dir = "/server_certs/CRL/"
CRL_db_dir = data_path + CRL_mid_dir
if revoke_cert_id == 'rm':
if os.path.exists(CRL_db_dir):
for filename in glob.glob(CRL_db_dir + "*"):
os.unlink(filename)
if os.path.exists(CRL):
os.unlink(CRL)
print(_("CRL deleted"))
return 0
print(_("CRL does not exist"))
return 0
try:
int(revoke_cert_id)
except ValueError:
print(_("The ID of a certificate to be revoked must be integer!"))
return 1
cert_file = data_path + "/server_certs/%s.crt" % revoke_cert_id
if not os.path.exists(cert_file):
print(_("Certificate %s not found") % cert_file)
return 1
if not os.path.exists(CRL_db_dir):
os.makedirs(CRL_db_dir)
index_file = CRL_db_dir + 'index'
if not os.path.exists(index_file):
open(index_file, 'w').close()
serial_file = CRL_db_dir + 'serial'
if not os.path.exists(serial_file):
open(serial_file, 'w').close()
default_crl_days = 14
conf_file = data_path + "/server_certs/ca.config"
# if not os.path.exists (conf_file):
content_conf = ("[ ca ]\ndefault_ca = CA_CLIENT\n"
"[ CA_CLIENT ]\n"
"dir = %s\n"
"database = %s\n"
"serial = %s\n"
"certificate = %s\n"
"private_key = %s\n"
# "default_days = 365"
"default_crl_days = %d\n"
"default_md = md5\n") % (
CRL_db_dir, index_file,
serial_file, cert_path + '/root.crt',
cert_path + '/root.key',
default_crl_days)
fd = open(conf_file, 'w')
fd.write(content_conf)
fd.close()
# server_cert = open (cert_file, 'r').read()
cmd_rev_cert = "openssl ca -config %s -revoke %s" % (conf_file, cert_file)
os.system(cmd_rev_cert)
cmd_create_crl = "openssl ca -gencrl -config %s -out %s" % (conf_file, CRL)
os.system(cmd_create_crl)
print()
cmd_show_crl = "openssl crl -text -noout -in %s" % CRL
os.system(cmd_show_crl)
#################################################################
def parse(full=False):
import argparse
from .methods_func import RawAndDefaultsHelpFormatter
parser = argparse.ArgumentParser(
add_help=False, formatter_class=RawAndDefaultsHelpFormatter)
parser.add_argument(
'-h', '--help', action='store_true', default=False,
dest='help', help=_("show this help message and exit"))
if full:
parser.add_argument(
'--start', action='store_true', default=False, dest='start',
help=_('server started'))
parser.add_argument(
'--port', type=int, dest='port',
help=_('port number'))
parser.add_argument(
'--pid-file', type=str, dest='pidfile',
help=_('Specify the location of the PID file'))
parser.add_argument(
'--close-on-inactive', action='store_true', dest='inactiveclose',
default=False,
help=_('stop the server if there are no active sessions'))
parser.add_argument(
'--cert', type=str, dest='Id',
help=_('operations with certificates (number or "all"). Server not'
' running.'))
parser.add_argument(
'--show-request', type=str, dest='req_id',
help=_("view client requests (number or \"all\")"))
parser.add_argument(
'--sc', '--server-cert', type=str, dest='cert_id',
help=_('view servers certificates (number or "all"). '
'Server not running.'))
parser.add_argument(
'-b', '--bootstrap', action='store_true', default=False,
dest='bootstrap_user_name', help=_('bootstrap action'))
parser.add_argument(
'-u', '--create-localuser-cert', type=str, dest='cert_user_name',
help=_('create certificate for local user'))
parser.add_argument(
'--clear-localuser-cert', action='store_true', default=False,
dest='clear_user_cert',
help=_('remove all local user certificates'))
parser.add_argument(
'--remove-certs', action='store_true', default=False,
dest='remove_certificates',
help=_('use with option --bootstrap to remove '
'all certificates, requests and config files on the server'))
parser.add_argument(
'--dump', action='store_true', default=False, dest='dump',
help=_('dump (use with option -c [ID])'))
parser.add_argument(
'--db', '--debug', action='store_true', default=False, dest='debug',
help=_('debug'))
if full:
parser.add_argument(
'--rm', '--remove', action='store_true', default=False,
dest='remove',
help=_('remove the selected certificate (use with option -c [ID])'))
parser.add_argument(
'--right-add', type=str, dest='right_add',
help=_('add permissions for a certificate (or certificates, '
'comma-separated) (use with option -c [ID])'))
parser.add_argument(
'--right-del', type=str, dest='right_del', help=_(
'remove permissions for a certificate '
'(use with option -c [ID])'))
parser.add_argument(
'--gen-root-cert', action='store_true', default=False,
dest='gen_root_cert', help=_('generate a root (or CA) certificate'))
parser.add_argument(
'--gen-cert-by', type=str, dest='host',
help=_("send a signature request for the root certificate"))
parser.add_argument(
'--get-cert-from', type=str, dest='root_host',
help=_('fetch the signed certificate from the server'))
parser.add_argument(
'--use-root-as-server', action='store_true', default=False,
dest='use_root_cert', help=_('use the root certificate as the '
'server certificate'))
parser.add_argument(
'--sign-client', type=str, dest='id_client_req',
help=_("sign the client's request with the server certificate"))
parser.add_argument(
'--sign-server', type=str, dest='id_server_req',
help=_("sign the server's request with the root certificate"))
parser.add_argument(
'--del-server-req', type=str, dest='id_del_req',
metavar='id_req', help=_("refuse to sign the certificate at "
"the server's request"))
parser.add_argument(
'--del-client-req', type=str, dest='id_del_client_req',
metavar='id_req', help=_("decline client's request for signature"))
parser.add_argument(
'--rv', '--revoke-cert', type=str, dest='revoke_cert_id', help=_(
'revoke an earlier signed server (or CA) certificate. '
'Run rm to remove the CRL'))
parser.add_argument(
'--method', type=str, dest='method', help=_('call method'))
parser.add_argument(
'--list-methods', action='store_true', default=False,
dest='list_methods', help=_('display all available methods'))
parser.add_argument(
'--no-progress', action='store_true', default=False,
dest='no_progress', help=_('do not display the progress bar'))
parser.add_argument(
'--gui-progress', action='store_true', default=False,
dest='gui_progress', help=_("display the GUI progress bar"))
parser.add_argument(
'--gui-warning', action='store_true', default=False,
dest='gui_warning', help=_('display warnings at the end'))
parser.add_argument(
'-f', '--force', action='store_true', default=False,
dest='no_questions', help=_('silent during the process'))
parser.add_argument(
'-P', action='store_true', default=False,
dest='stdin_passwd',
help=_('use passwords from standard input for users accounts'))
if full:
parser.add_argument(
'--check', action='store_true', default=False, dest='check',
help=_('configuration check'))
parser.add_argument(
'--create-symlink', action='store_true', default=False,
dest='create_symlink', help=_("Create symlinks for methods"))
parser.add_argument(
'--log-path', type=str, dest='log_path',
help=_('path to log files'))
parser.add_argument(
'--version', action='store_true', default=False,
dest='version', help=_('print the version number, then exit'))
return parser
Reference in new issue View Git Blame Copy Permalink