lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity

tests: Fix several issues with signature profiles

This commit is contained in:
Lauri Võsandi 2018-04-10 09:29:05 +00:00
parent 360f22ab13
commit dbbcec6d64
4 changed files with 35 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
certidude/authority.py
View File

@ -312,7 +312,7 @@ def delete_request(common_name):
config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest(),
headers={"User-Agent": "Certidude API"})
def sign(common_name, skip_notify=False, skip_push=False, overwrite=False, profile=None, signer=None):
def sign(common_name, skip_notify=False, skip_push=False, overwrite=False, profile="default", signer=None):
"""
Sign certificate signing request by it's common name
"""
@ -330,7 +330,7 @@ def sign(common_name, skip_notify=False, skip_push=False, overwrite=False, profi
os.unlink(req_path)
return cert, buf
def _sign(csr, buf, skip_notify=False, skip_push=False, overwrite=False, profile=None, signer=None):
def _sign(csr, buf, skip_notify=False, skip_push=False, overwrite=False, profile="default", signer=None):
# TODO: CRLDistributionPoints, OCSP URL, Certificate URL
if profile not in config.PROFILES:
raise ValueError("Invalid profile supplied '%s'" % profile)

26
certidude/cli.py
View File

@ -195,6 +195,9 @@ def certidude_enroll(fork, renew, no_wait, kerberos, skip_self):
finally:
if os.path.exists(authority_path):
click.echo("Found authority certificate in: %s" % authority_path)
with open(authority_path, "rb") as fh:
header, _, certificate_der_bytes = pem.unarmor(fh.read())
authority_certificate = x509.Certificate.load(certificate_der_bytes)
else:
if not os.path.exists(os.path.dirname(authority_path)):
os.makedirs(os.path.dirname(authority_path))
@ -203,7 +206,7 @@ def certidude_enroll(fork, renew, no_wait, kerberos, skip_self):
r = requests.get(authority_url,
headers={"Accept": "application/x-x509-ca-cert,application/x-pem-file"})
header, _, certificate_der_bytes = pem.unarmor(r.content)
cert = x509.Certificate.load(certificate_der_bytes)
authority_certificate = x509.Certificate.load(certificate_der_bytes)
except: # TODO: catch correct exceptions
raise
# raise ValueError("Failed to parse PEM: %s" % r.text)
@ -214,6 +217,10 @@ def certidude_enroll(fork, renew, no_wait, kerberos, skip_self):
selinux_fixup(authority_partial)
os.rename(authority_partial, authority_path)
authority_public_key = asymmetric.load_public_key(
authority_certificate["tbs_certificate"]["subject_public_key_info"])
# Attempt to install CA certificates system wide
try:
@ -288,17 +295,14 @@ def certidude_enroll(fork, renew, no_wait, kerberos, skip_self):
key_partial = key_path + ".part"
request_partial = request_path + ".part"
certificate = x509.Certificate.load(certificate_der_bytes)
public_key = asymmetric.load_public_key(certificate["tbs_certificate"]["subject_public_key_info"])
if public_key.algorithm == "ec":
self_public_key, private_key = asymmetric.generate_pair("ec", curve=public_key.curve)
elif public_key.algorithm == "rsa":
self_public_key, private_key = asymmetric.generate_pair("rsa", bit_size=public_key.bit_size)
if authority_public_key.algorithm == "ec":
self_public_key, private_key = asymmetric.generate_pair("ec", curve=authority_public_key.curve)
elif authority_public_key.algorithm == "rsa":
self_public_key, private_key = asymmetric.generate_pair("rsa", bit_size=authority_public_key.bit_size)
else:
NotImplemented
builder = CSRBuilder({"common_name": common_name}, public_key)
builder = CSRBuilder({"common_name": common_name}, self_public_key)
request = builder.build(private_key)
with open(key_partial, 'wb') as f:
f.write(asymmetric.dump_private_key(private_key, None))
@ -343,7 +347,7 @@ def certidude_enroll(fork, renew, no_wait, kerberos, skip_self):
asymmetric.rsa_pss_sign(
asymmetric.load_private_key(kh.read()),
cert_buf + rh.read(),
"sha512"))
"sha384"))
except EnvironmentError: # Certificate missing, can't renew
pass
else:
@ -1326,7 +1330,7 @@ def certidude_list(verbose, show_key_type, show_extensions, show_path, show_sign
@click.command("sign", help="Sign certificate")
@click.argument("common_name")
@click.option("--profile", "-p", default=None, help="Profile")
@click.option("--profile", "-p", default="default", help="Profile")
@click.option("--overwrite", "-o", default=False, is_flag=True, help="Revoke valid certificate with same CN")
def certidude_sign(common_name, overwrite, profile):
from certidude import authority

22
certidude/static/views/authority.html
View File

@ -90,9 +90,12 @@ curl -f -L -H "Content-type: application/pkcs10" --data-binary @client_req.pem \
<p>First enroll certificates:</p>
<div class="highlight">
<pre class="code"><code>
FQDN=$(cat /etc/hostname)
curl -f http://{{ window.location.hostname }}/api/certificate/ -o /etc/ipsec.d/cacerts/ca.pem; \
<pre class="code"><code>opkg update
opkg install curl strongswan-full strongswan-mod-kernel-libipsec kmod-crypto-echainiv kmod-crypto-gcm
FQDN=$(uci get system.@system[0].hostname)
cat << EOF > /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
{{ session.authority.certificate.blob }}
EOF
test -e /etc/ipsec.d/private/client.pem \
|| openssl ecparam -name secp384r1 -genkey -noout -out /etc/ipsec.d/private/client.pem; \
test -e /etc/ipsec.d/reqs/client.pem \
@ -107,8 +110,7 @@ curl -f -L -H "Content-type: application/pkcs10" \
<p>Then configure StrongSwan</p>
<div class="highlight">
<pre class="code"><code>
cat > /etc/ipsec.conf << EOF
<pre class="code"><code>cat > /etc/ipsec.conf << EOF
conn c2s
auto=start
right=router.k-space.ee
@ -176,7 +178,10 @@ chmod +x /etc/certidude/authority/{{ window.location.hostname }}/updown</code></
<p>Then either set up OpenVPN service:</p>
<div class="highlight">
<pre class="code"><code># Generate Diffie-Hellman parameters file for OpenVPN
<pre class="code"><code>opkg update
opkg install curl openssl-util openvpn-openssl
# Generate Diffie-Hellman parameters file for OpenVPN
test -e /etc/certidude/dh.pem \
|| openssl dhparam 2048 -out /etc/certidude/dh.pem
@ -265,7 +270,10 @@ done
<p>Alternatively or additionally set up StrongSwan:</p>
<div class="highlight">
<pre class="code"><code># Generate StrongSwan config
<pre class="code"><code>opkg update
opkg install curl openssl-util strongswan-full kmod-crypto-echainiv kmod-crypto-gcm
# Generate StrongSwan config
cat > /etc/ipsec.conf << EOF
config setup
strictcrlpolicy=yes

6
tests/test_cli.py
View File

@ -716,7 +716,7 @@ def test_cli_setup_authority():
child_pid = os.fork()
if not child_pid:
result = runner.invoke(cli, ["sign", "www.example.lan"])
result = runner.invoke(cli, ["sign", "www.example.lan", "--profile", "srv"])
assert not result.exception, result.output
assert "Publishing request-signed event 'www.example.lan' on http://localhost/ev/pub/" in result.output, result.output
return
@ -773,7 +773,7 @@ def test_cli_setup_authority():
child_pid = os.fork()
if not child_pid:
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/vpn.example.lan.pem")
result = runner.invoke(cli, ["sign", "vpn.example.lan"])
result = runner.invoke(cli, ["sign", "vpn.example.lan", "--profile", "srv"])
assert not result.exception, result.output
assert "overwrit" not in result.output, result.output
assert "Publishing request-signed event 'vpn.example.lan' on http://localhost/ev/pub/" in result.output, result.output
@ -996,7 +996,7 @@ def test_cli_setup_authority():
child_pid = os.fork()
if not child_pid:
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/ipsec.example.lan.pem")
result = runner.invoke(cli, ["sign", "ipsec.example.lan"])
result = runner.invoke(cli, ["sign", "ipsec.example.lan", "--profile", "srv"])
assert not result.exception, result.output
assert "overwrit" not in result.output, result.output
assert "Publishing request-signed event 'ipsec.example.lan' on http://localhost/ev/pub/" in result.output, result.output