1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Migrate authority setup to certbuilder

This commit is contained in:
Lauri Võsandi 2017-07-27 21:53:11 +00:00
parent f069688a9a
commit bce906db36
2 changed files with 33 additions and 64 deletions

View File

@ -934,7 +934,7 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
apt("python-setproctitle cython python-dev libkrb5-dev libffi-dev libssl-dev") apt("python-setproctitle cython python-dev libkrb5-dev libffi-dev libssl-dev")
apt("python-mimeparse python-markdown python-xattr python-jinja2 python-cffi") apt("python-mimeparse python-markdown python-xattr python-jinja2 python-cffi")
apt("python-ldap software-properties-common libsasl2-modules-gssapi-mit") apt("python-ldap software-properties-common libsasl2-modules-gssapi-mit")
pip("gssapi falcon cryptography humanize ipaddress simplepam humanize requests pyopenssl") pip("gssapi falcon humanize ipaddress simplepam humanize requests pyopenssl")
click.echo("Software dependencies installed") click.echo("Software dependencies installed")
os.system("add-apt-repository -y ppa:nginx/stable") os.system("add-apt-repository -y ppa:nginx/stable")
@ -945,12 +945,8 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
os.system("apt-get install -y nginx") os.system("apt-get install -y nginx")
import pwd import pwd
from cryptography import x509 from oscrypto import asymmetric
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID from certbuilder import CertificateBuilder, pem_armor_certificate
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from jinja2 import Environment, PackageLoader from jinja2 import Environment, PackageLoader
env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True) env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True)
@ -1075,74 +1071,46 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
if not os.path.exists(ca_key): if not os.path.exists(ca_key):
click.echo("Generating %d-bit RSA key for CA ..." % const.KEY_SIZE) click.echo("Generating %d-bit RSA key for CA ..." % const.KEY_SIZE)
key = rsa.generate_private_key( public_key, private_key = asymmetric.generate_pair('rsa', bit_size=const.KEY_SIZE)
public_exponent=65537,
key_size=const.KEY_SIZE, names = (
backend=default_backend() (u"country_name", country),
(u"state_or_province_name", state),
(u"locality_name", locality),
(u"organization_name", organization),
(u"common_name", common_name)
) )
subject = issuer = x509.Name([ builder = CertificateBuilder(
x509.NameAttribute(o, value) for o, value in ( dict([(k,v) for (k,v) in names if v]),
(NameOID.COUNTRY_NAME, country), public_key
(NameOID.STATE_OR_PROVINCE_NAME, state), )
(NameOID.LOCALITY_NAME, locality), builder.self_signed = True
(NameOID.ORGANIZATION_NAME, organization), builder.ca = True
(NameOID.COMMON_NAME, common_name), builder.subject_alt_domains = [common_name]
) if value builder.serial_number = random.randint(
])
builder = x509.CertificateBuilder(
).subject_name(subject
).issuer_name(issuer
).public_key(key.public_key()
).not_valid_before(datetime.utcnow()
).not_valid_after(
datetime.utcnow() + timedelta(days=authority_lifetime)
).serial_number(
random.randint(
0x100000000000000000000000000000000000000, 0x100000000000000000000000000000000000000,
0xfffffffffffffffffffffffffffffffffffffff) 0xfffffffffffffffffffffffffffffffffffffff)
).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True, now = datetime.utcnow()
).add_extension(x509.KeyUsage( builder.begin_date = now - timedelta(minutes=5)
digital_signature=server_flags, builder.end_date = now + timedelta(days=authority_lifetime)
key_encipherment=server_flags,
content_commitment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False), critical=True,
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()),
critical=False
)
if server_flags: if server_flags:
builder = builder.add_extension(x509.ExtendedKeyUsage([ builder.key_usage(set(['digital_signature', 'key_encipherment', 'key_cert_sign', 'crl_sign']))
ExtendedKeyUsageOID.SERVER_AUTH, builder.extended_key_usage(['server_auth', "1.3.6.1.5.5.8.2.2"])
x509.ObjectIdentifier("1.3.6.1.5.5.8.2.2")]), critical=False)
cert = builder.sign(key, hashes.SHA512(), default_backend()) certificate = builder.build(private_key)
click.echo("Signing %s..." % cert.subject)
# Set permission bits to 640 # Set permission bits to 640
os.umask(0o137) os.umask(0o137)
with open(ca_crt, "wb") as fh: with open(ca_crt, 'wb') as f:
fh.write(cert.public_bytes(serialization.Encoding.PEM)) f.write(pem_armor_certificate(certificate))
# Set permission bits to 600 # Set permission bits to 600
os.umask(0o177) os.umask(0o177)
with open(ca_key, "wb") as fh: with open(ca_key, 'wb') as f:
fh.write(key.private_bytes( f.write(asymmetric.dump_private_key(private_key, None))
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption() # TODO: Implement passphrase
))
click.echo("To enable e-mail notifications install Postfix as sattelite system and set mailer address in %s" % const.CONFIG_PATH) click.echo("To enable e-mail notifications install Postfix as sattelite system and set mailer address in %s" % const.CONFIG_PATH)
click.echo() click.echo()

View File

@ -1,2 +1,3 @@
click>=6.7 click>=6.7
configparser>=3.5.0 configparser>=3.5.0
certbuilder