1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

cli: Fix authority setup script

This commit is contained in:
Lauri Võsandi 2016-03-29 18:37:28 +03:00
parent 476a312b4e
commit af60fd8047
2 changed files with 18 additions and 10 deletions

View File

@ -571,6 +571,8 @@ def certidude_setup_strongswan_server(server, config, secrets, subnet, route, em
click.echo(" apt-get install strongswan strongswan-starter strongswan-ikev2") click.echo(" apt-get install strongswan strongswan-starter strongswan-ikev2")
click.secho(" service strongswan restart", bold=True) click.secho(" service strongswan restart", bold=True)
click.echo() click.echo()
click.echo("If you're running Ubuntu make sure you're not affected by #1505222")
click.echo("https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1505222")
@click.command("client", help="Set up strongSwan client") @click.command("client", help="Set up strongSwan client")
@ -773,7 +775,7 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw
@click.option("--locality", "-l", default=None, help="City or locality, none by default") @click.option("--locality", "-l", default=None, help="City or locality, none by default")
@click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 7300 days (20 years) by default") @click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 7300 days (20 years) by default")
@click.option("--certificate-lifetime", default=5*365, help="Certificate lifetime in days, 1825 days (5 years) by default") @click.option("--certificate-lifetime", default=5*365, help="Certificate lifetime in days, 1825 days (5 years) by default")
@click.option("--revocation-list-lifetime", default=1, help="Revocation list lifetime in days, 1 day by default") @click.option("--revocation-list-lifetime", default=20*60, help="Revocation list lifetime in days, 1200 seconds (20 minutes) by default")
@click.option("--organization", "-o", default=None, help="Company or organization name") @click.option("--organization", "-o", default=None, help="Company or organization name")
@click.option("--organizational-unit", "-ou", default=None) @click.option("--organizational-unit", "-ou", default=None)
@click.option("--pkcs11", default=False, is_flag=True, help="Use PKCS#11 token instead of files") @click.option("--pkcs11", default=False, is_flag=True, help="Use PKCS#11 token instead of files")
@ -782,9 +784,10 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw
@click.option("--ocsp-responder-url", default=None, help="OCSP responder URL") @click.option("--ocsp-responder-url", default=None, help="OCSP responder URL")
@click.option("--push-server", default="http://push.%s" % constants.DOMAIN, help="Push server, http://push.%s by default" % constants.DOMAIN) @click.option("--push-server", default="http://push.%s" % constants.DOMAIN, help="Push server, http://push.%s by default" % constants.DOMAIN)
@click.option("--email-address", default="certidude@" + FQDN, help="E-mail address of the CA") @click.option("--email-address", default="certidude@" + FQDN, help="E-mail address of the CA")
@click.option("--directory", default=os.path.join("/var/lib/certidude", FQDN), help="Directory for authority files, /var/lib/certidude/ by default") @click.option("--directory", default=os.path.join("/var/lib/certidude", FQDN), help="Directory for authority files, /var/lib/certidude/%s/ by default" % FQDN)
@click.option("--server-flags", is_flag=True, help="Add TLS Server and IKE Intermediate extended key usage flags")
@click.option("--outbox", default="smtp://smtp.%s" % constants.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % constants.DOMAIN) @click.option("--outbox", default="smtp://smtp.%s" % constants.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % constants.DOMAIN)
def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, revoked_url, certificate_url, ocsp_responder_url, push_server, email_address, outbox): def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, revoked_url, certificate_url, ocsp_responder_url, push_server, email_address, outbox, server_flags):
# Make sure common_name is valid # Make sure common_name is valid
if not re.match(r"^[\.\-_a-zA-Z0-9]+$", common_name): if not re.match(r"^[\.\-_a-zA-Z0-9]+$", common_name):
@ -848,10 +851,6 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
b"keyUsage", b"keyUsage",
True, True,
b"digitalSignature, keyCertSign, cRLSign"), b"digitalSignature, keyCertSign, cRLSign"),
crypto.X509Extension(
b"extendedKeyUsage",
False,
b"serverAuth,1.3.6.1.5.5.8.2.2"),
crypto.X509Extension( crypto.X509Extension(
b"subjectKeyIdentifier", b"subjectKeyIdentifier",
False, False,
@ -863,6 +862,14 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
(u"DNS: %s, email: %s" % (common_name, email_address)).encode("ascii")) (u"DNS: %s, email: %s" % (common_name, email_address)).encode("ascii"))
]) ])
if server_flags:
ca.add_extensions([
crypto.X509Extension(
b"extendedKeyUsage",
False,
b"serverAuth,1.3.6.1.5.5.8.2.2")
])
ca.add_extensions([ ca.add_extensions([
crypto.X509Extension( crypto.X509Extension(
b"authorityKeyIdentifier", b"authorityKeyIdentifier",
@ -890,7 +897,7 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
# openssl x509 -in ca_crt.pem -outform DER | sha256sum # openssl x509 -in ca_crt.pem -outform DER | sha256sum
# openssl x509 -fingerprint -in ca_crt.pem # openssl x509 -fingerprint -in ca_crt.pem
ca.sign(key, "sha256") ca.sign(key, "sha512")
_, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude") _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude")
os.setgid(gid) os.setgid(gid)

View File

@ -60,8 +60,8 @@ schema = strongswan
database = sqlite://{{ directory }}/db.sqlite database = sqlite://{{ directory }}/db.sqlite
[signature] [signature]
certificate lifetime = 1825 certificate lifetime = {{ certificate_lifetime }}
revocation list lifetime = 1200 revocation list lifetime = {{ revocation_list_lifetime }}
certificate url = {{ certificate_url }} certificate url = {{ certificate_url }}
revoked url = {{ revoked_url }} revoked url = {{ revoked_url }}
@ -77,3 +77,4 @@ signed dir = {{ directory }}/signed/
revoked dir = {{ directory }}/revoked/ revoked dir = {{ directory }}/revoked/
expired dir = {{ directory }}/expired/ expired dir = {{ directory }}/expired/
outbox = {{ outbox }} outbox = {{ outbox }}