mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Migrate authority setup to certbuilder
This commit is contained in:
parent
f069688a9a
commit
bce906db36
@ -934,7 +934,7 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
|
|||||||
apt("python-setproctitle cython python-dev libkrb5-dev libffi-dev libssl-dev")
|
apt("python-setproctitle cython python-dev libkrb5-dev libffi-dev libssl-dev")
|
||||||
apt("python-mimeparse python-markdown python-xattr python-jinja2 python-cffi")
|
apt("python-mimeparse python-markdown python-xattr python-jinja2 python-cffi")
|
||||||
apt("python-ldap software-properties-common libsasl2-modules-gssapi-mit")
|
apt("python-ldap software-properties-common libsasl2-modules-gssapi-mit")
|
||||||
pip("gssapi falcon cryptography humanize ipaddress simplepam humanize requests pyopenssl")
|
pip("gssapi falcon humanize ipaddress simplepam humanize requests pyopenssl")
|
||||||
click.echo("Software dependencies installed")
|
click.echo("Software dependencies installed")
|
||||||
|
|
||||||
os.system("add-apt-repository -y ppa:nginx/stable")
|
os.system("add-apt-repository -y ppa:nginx/stable")
|
||||||
@ -945,12 +945,8 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
|
|||||||
os.system("apt-get install -y nginx")
|
os.system("apt-get install -y nginx")
|
||||||
|
|
||||||
import pwd
|
import pwd
|
||||||
from cryptography import x509
|
from oscrypto import asymmetric
|
||||||
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
|
from certbuilder import CertificateBuilder, pem_armor_certificate
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
from cryptography.hazmat.primitives import serialization
|
|
||||||
from cryptography.hazmat.primitives import hashes, serialization
|
|
||||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
|
||||||
from jinja2 import Environment, PackageLoader
|
from jinja2 import Environment, PackageLoader
|
||||||
env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True)
|
env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True)
|
||||||
|
|
||||||
@ -1075,74 +1071,46 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
|
|||||||
if not os.path.exists(ca_key):
|
if not os.path.exists(ca_key):
|
||||||
click.echo("Generating %d-bit RSA key for CA ..." % const.KEY_SIZE)
|
click.echo("Generating %d-bit RSA key for CA ..." % const.KEY_SIZE)
|
||||||
|
|
||||||
key = rsa.generate_private_key(
|
public_key, private_key = asymmetric.generate_pair('rsa', bit_size=const.KEY_SIZE)
|
||||||
public_exponent=65537,
|
|
||||||
key_size=const.KEY_SIZE,
|
names = (
|
||||||
backend=default_backend()
|
(u"country_name", country),
|
||||||
|
(u"state_or_province_name", state),
|
||||||
|
(u"locality_name", locality),
|
||||||
|
(u"organization_name", organization),
|
||||||
|
(u"common_name", common_name)
|
||||||
)
|
)
|
||||||
|
|
||||||
subject = issuer = x509.Name([
|
builder = CertificateBuilder(
|
||||||
x509.NameAttribute(o, value) for o, value in (
|
dict([(k,v) for (k,v) in names if v]),
|
||||||
(NameOID.COUNTRY_NAME, country),
|
public_key
|
||||||
(NameOID.STATE_OR_PROVINCE_NAME, state),
|
)
|
||||||
(NameOID.LOCALITY_NAME, locality),
|
builder.self_signed = True
|
||||||
(NameOID.ORGANIZATION_NAME, organization),
|
builder.ca = True
|
||||||
(NameOID.COMMON_NAME, common_name),
|
builder.subject_alt_domains = [common_name]
|
||||||
) if value
|
builder.serial_number = random.randint(
|
||||||
])
|
|
||||||
|
|
||||||
builder = x509.CertificateBuilder(
|
|
||||||
).subject_name(subject
|
|
||||||
).issuer_name(issuer
|
|
||||||
).public_key(key.public_key()
|
|
||||||
).not_valid_before(datetime.utcnow()
|
|
||||||
).not_valid_after(
|
|
||||||
datetime.utcnow() + timedelta(days=authority_lifetime)
|
|
||||||
).serial_number(
|
|
||||||
random.randint(
|
|
||||||
0x100000000000000000000000000000000000000,
|
0x100000000000000000000000000000000000000,
|
||||||
0xfffffffffffffffffffffffffffffffffffffff)
|
0xfffffffffffffffffffffffffffffffffffffff)
|
||||||
).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True,
|
now = datetime.utcnow()
|
||||||
).add_extension(x509.KeyUsage(
|
builder.begin_date = now - timedelta(minutes=5)
|
||||||
digital_signature=server_flags,
|
builder.end_date = now + timedelta(days=authority_lifetime)
|
||||||
key_encipherment=server_flags,
|
|
||||||
content_commitment=False,
|
|
||||||
data_encipherment=False,
|
|
||||||
key_agreement=False,
|
|
||||||
key_cert_sign=True,
|
|
||||||
crl_sign=True,
|
|
||||||
encipher_only=False,
|
|
||||||
decipher_only=False), critical=True,
|
|
||||||
).add_extension(
|
|
||||||
x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
|
|
||||||
critical=False
|
|
||||||
).add_extension(
|
|
||||||
x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()),
|
|
||||||
critical=False
|
|
||||||
)
|
|
||||||
|
|
||||||
if server_flags:
|
if server_flags:
|
||||||
builder = builder.add_extension(x509.ExtendedKeyUsage([
|
builder.key_usage(set(['digital_signature', 'key_encipherment', 'key_cert_sign', 'crl_sign']))
|
||||||
ExtendedKeyUsageOID.SERVER_AUTH,
|
builder.extended_key_usage(['server_auth', "1.3.6.1.5.5.8.2.2"])
|
||||||
x509.ObjectIdentifier("1.3.6.1.5.5.8.2.2")]), critical=False)
|
|
||||||
|
|
||||||
cert = builder.sign(key, hashes.SHA512(), default_backend())
|
certificate = builder.build(private_key)
|
||||||
|
|
||||||
click.echo("Signing %s..." % cert.subject)
|
|
||||||
|
|
||||||
# Set permission bits to 640
|
# Set permission bits to 640
|
||||||
os.umask(0o137)
|
os.umask(0o137)
|
||||||
with open(ca_crt, "wb") as fh:
|
with open(ca_crt, 'wb') as f:
|
||||||
fh.write(cert.public_bytes(serialization.Encoding.PEM))
|
f.write(pem_armor_certificate(certificate))
|
||||||
|
|
||||||
# Set permission bits to 600
|
# Set permission bits to 600
|
||||||
os.umask(0o177)
|
os.umask(0o177)
|
||||||
with open(ca_key, "wb") as fh:
|
with open(ca_key, 'wb') as f:
|
||||||
fh.write(key.private_bytes(
|
f.write(asymmetric.dump_private_key(private_key, None))
|
||||||
encoding=serialization.Encoding.PEM,
|
|
||||||
format=serialization.PrivateFormat.TraditionalOpenSSL,
|
|
||||||
encryption_algorithm=serialization.NoEncryption() # TODO: Implement passphrase
|
|
||||||
))
|
|
||||||
|
|
||||||
click.echo("To enable e-mail notifications install Postfix as sattelite system and set mailer address in %s" % const.CONFIG_PATH)
|
click.echo("To enable e-mail notifications install Postfix as sattelite system and set mailer address in %s" % const.CONFIG_PATH)
|
||||||
click.echo()
|
click.echo()
|
||||||
|
@ -1,2 +1,3 @@
|
|||||||
click>=6.7
|
click>=6.7
|
||||||
configparser>=3.5.0
|
configparser>=3.5.0
|
||||||
|
certbuilder
|
||||||
|
Loading…
Reference in New Issue
Block a user