mirror of
https://github.com/laurivosandi/certidude
synced 2025-01-08 15:17:35 +00:00
Create directories and set selinux context for certidude request
This commit is contained in:
parent
77db728294
commit
a663efd39e
@ -17,10 +17,26 @@ from configparser import ConfigParser
|
||||
from cryptography import x509
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
|
||||
def selinux_fixup(path):
|
||||
"""
|
||||
Fix OpenVPN credential store security context on Fedora
|
||||
"""
|
||||
if not os.path.exists("/sys/fs/selinux"):
|
||||
return
|
||||
cmd = "chcon", "--type=home_cert_t", path
|
||||
subprocess.call(cmd)
|
||||
|
||||
def certidude_request_certificate(server, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False):
|
||||
"""
|
||||
Exchange CSR for certificate using Certidude HTTP API server
|
||||
"""
|
||||
|
||||
# Create directories
|
||||
for path in key_path, request_path, certificate_path, authority_path, revocations_path:
|
||||
dir_path = os.path.dirname(path)
|
||||
if not os.path.exists(dir_path):
|
||||
os.makedirs(dir_path)
|
||||
|
||||
# Set up URL-s
|
||||
request_params = set()
|
||||
if autosign:
|
||||
@ -52,6 +68,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
|
||||
with open(authority_partial, "w") as oh:
|
||||
oh.write(r.content)
|
||||
click.echo("Writing authority certificate to: %s" % authority_path)
|
||||
selinux_fixup(authority_partial)
|
||||
os.rename(authority_partial, authority_path)
|
||||
|
||||
# Fetch certificate revocation list
|
||||
@ -67,6 +84,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
|
||||
else:
|
||||
# TODO: Check monotonically increasing CRL number
|
||||
click.echo("Certificate revocation list passed verification")
|
||||
selinux_fixup(revocations_partial)
|
||||
os.rename(revocations_partial, revocations_path)
|
||||
|
||||
# Check if we have been inserted into CRL
|
||||
@ -143,13 +161,16 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
|
||||
|
||||
# Sign & dump CSR
|
||||
os.umask(0o022)
|
||||
with open(request_path + ".part", "wb") as f:
|
||||
request_partial = tempfile.mktemp(prefix=request_path + ".part")
|
||||
with open(request_partial, "wb") as f:
|
||||
f.write(csr.sign(key, hashes.SHA256(), default_backend()).public_bytes(serialization.Encoding.PEM))
|
||||
|
||||
click.echo("Writing private key to: %s" % key_path)
|
||||
selinux_fixup(key_partial)
|
||||
os.rename(key_partial, key_path)
|
||||
|
||||
click.echo("Writing certificate signing request to: %s" % request_path)
|
||||
os.rename(request_path + ".part", request_path)
|
||||
os.rename(request_partial, request_path)
|
||||
|
||||
# We have CSR now, save the paths to client.conf so we could:
|
||||
# Update CRL, renew certificate, maybe something extra?
|
||||
@ -229,7 +250,8 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
|
||||
raise ValueError("Failed to parse PEM: %s" % submission.text)
|
||||
|
||||
os.umask(0o022)
|
||||
with open(certificate_path + ".part", "w") as fh:
|
||||
certificate_partial = tempfile.mktemp(prefix=certificate_path + ".part")
|
||||
with open(certificate_partial, "w") as fh:
|
||||
# Dump certificate
|
||||
fh.write(submission.text)
|
||||
|
||||
@ -239,7 +261,8 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
|
||||
fh.write(ch.read())
|
||||
|
||||
click.echo("Writing certificate to: %s" % certificate_path)
|
||||
os.rename(certificate_path + ".part", certificate_path)
|
||||
selinux_fixup(certificate_partial)
|
||||
os.rename(certificate_partial, certificate_path)
|
||||
|
||||
# TODO: Validate fetched certificate against CA
|
||||
# TODO: Check that recevied certificate CN and pubkey match
|
||||
|
Loading…
Reference in New Issue
Block a user