From a663efd39eae7709fd68ccc3ce0935034841c01b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 17:40:39 +0000 Subject: [PATCH] Create directories and set selinux context for `certidude request` --- certidude/helpers.py | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/certidude/helpers.py b/certidude/helpers.py index edf02ca..80f5813 100644 --- a/certidude/helpers.py +++ b/certidude/helpers.py @@ -17,10 +17,26 @@ from configparser import ConfigParser from cryptography import x509 from cryptography.hazmat.backends import default_backend +def selinux_fixup(path): + """ + Fix OpenVPN credential store security context on Fedora + """ + if not os.path.exists("/sys/fs/selinux"): + return + cmd = "chcon", "--type=home_cert_t", path + subprocess.call(cmd) + def certidude_request_certificate(server, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False): """ Exchange CSR for certificate using Certidude HTTP API server """ + + # Create directories + for path in key_path, request_path, certificate_path, authority_path, revocations_path: + dir_path = os.path.dirname(path) + if not os.path.exists(dir_path): + os.makedirs(dir_path) + # Set up URL-s request_params = set() if autosign: @@ -52,6 +68,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa with open(authority_partial, "w") as oh: oh.write(r.content) click.echo("Writing authority certificate to: %s" % authority_path) + selinux_fixup(authority_partial) os.rename(authority_partial, authority_path) # Fetch certificate revocation list @@ -67,6 +84,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa else: # TODO: Check monotonically increasing CRL number click.echo("Certificate revocation list passed verification") + selinux_fixup(revocations_partial) os.rename(revocations_partial, revocations_path) # Check if we have been inserted into CRL @@ -143,13 +161,16 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa # Sign & dump CSR os.umask(0o022) - with open(request_path + ".part", "wb") as f: + request_partial = tempfile.mktemp(prefix=request_path + ".part") + with open(request_partial, "wb") as f: f.write(csr.sign(key, hashes.SHA256(), default_backend()).public_bytes(serialization.Encoding.PEM)) click.echo("Writing private key to: %s" % key_path) + selinux_fixup(key_partial) os.rename(key_partial, key_path) + click.echo("Writing certificate signing request to: %s" % request_path) - os.rename(request_path + ".part", request_path) + os.rename(request_partial, request_path) # We have CSR now, save the paths to client.conf so we could: # Update CRL, renew certificate, maybe something extra? @@ -229,7 +250,8 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa raise ValueError("Failed to parse PEM: %s" % submission.text) os.umask(0o022) - with open(certificate_path + ".part", "w") as fh: + certificate_partial = tempfile.mktemp(prefix=certificate_path + ".part") + with open(certificate_partial, "w") as fh: # Dump certificate fh.write(submission.text) @@ -239,7 +261,8 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa fh.write(ch.read()) click.echo("Writing certificate to: %s" % certificate_path) - os.rename(certificate_path + ".part", certificate_path) + selinux_fixup(certificate_partial) + os.rename(certificate_partial, certificate_path) # TODO: Validate fetched certificate against CA # TODO: Check that recevied certificate CN and pubkey match