mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
cli: Add Yubikey enrollment command
This commit is contained in:
parent
a663efd39e
commit
f477fb9ad8
@ -20,6 +20,7 @@ from certidude.common import expand_paths, ip_address, ip_network
|
|||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
|
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
|
||||||
from cryptography.hazmat.backends import default_backend
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives import serialization
|
||||||
from cryptography.hazmat.primitives import hashes, serialization
|
from cryptography.hazmat.primitives import hashes, serialization
|
||||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
from datetime import datetime, timedelta
|
from datetime import datetime, timedelta
|
||||||
@ -1202,6 +1203,50 @@ def certidude_serve(port, listen, fork):
|
|||||||
if not fork or not os.fork():
|
if not fork or not os.fork():
|
||||||
httpd.serve_forever()
|
httpd.serve_forever()
|
||||||
|
|
||||||
|
|
||||||
|
@click.command("yubikey", help="Set up Yubikey as client authentication token")
|
||||||
|
@click.argument("authority")
|
||||||
|
@click.option("-p", "--pin", default="123456", help="Slot pincode, 123456 by default")
|
||||||
|
@click.option("-s", "--slot", default="9a", help="Yubikey slot to use, 9a by default")
|
||||||
|
@click.option("-u", "--username", default=os.getenv("USER"), help="Username to use, %s by default" % os.getenv("USER"))
|
||||||
|
def certidude_setup_yubikey(authority, slot, username, pin):
|
||||||
|
cmd = "ykinfo", "-q", "-s"
|
||||||
|
click.echo("Executing: %s" % " ".join(cmd))
|
||||||
|
serial = subprocess.check_output(cmd).strip()
|
||||||
|
|
||||||
|
dn = "/CN=%s@yk-%s-%s" % (username, slot, serial)
|
||||||
|
|
||||||
|
cmd = "yubico-piv-tool", "-a", "generate", "-s", slot, "-o", "/tmp/pk.pem"
|
||||||
|
click.echo("Executing: %s" % " ".join(cmd))
|
||||||
|
subprocess.call(cmd)
|
||||||
|
|
||||||
|
cmd = "yubico-piv-tool", \
|
||||||
|
"-i", "/tmp/pk.pem", "-o", "/tmp/req.pem", \
|
||||||
|
"-P", pin, \
|
||||||
|
"-S", dn, \
|
||||||
|
"-a", "verify", "-a", "request", \
|
||||||
|
"-s", slot
|
||||||
|
click.echo("Executing: %s" % " ".join(cmd))
|
||||||
|
|
||||||
|
scheme = "http"
|
||||||
|
request_url = "%s://%s/api/request/?wait=true" % (scheme, authority)
|
||||||
|
|
||||||
|
subprocess.check_output(cmd)
|
||||||
|
click.echo("Submitting to %s, waiting for response..." % request_url)
|
||||||
|
headers={
|
||||||
|
"Content-Type": "application/pkcs10",
|
||||||
|
"Accept": "application/x-x509-user-cert,application/x-pem-file"
|
||||||
|
}
|
||||||
|
|
||||||
|
submission = requests.post(request_url, data=open("/tmp/req.pem"), headers=headers)
|
||||||
|
with open("/tmp/cert.pem", "w") as fh:
|
||||||
|
fh.write(submission.text)
|
||||||
|
|
||||||
|
cmd = "yubico-piv-tool", "-a", "import-certificate", "-s", slot, "-i", "/tmp/cert.pem"
|
||||||
|
click.echo("Executing: %s" % " ".join(cmd))
|
||||||
|
subprocess.call(cmd)
|
||||||
|
|
||||||
|
|
||||||
@click.group("strongswan", help="strongSwan helpers")
|
@click.group("strongswan", help="strongSwan helpers")
|
||||||
def certidude_setup_strongswan(): pass
|
def certidude_setup_strongswan(): pass
|
||||||
|
|
||||||
@ -1224,6 +1269,7 @@ certidude_setup.add_command(certidude_setup_authority)
|
|||||||
certidude_setup.add_command(certidude_setup_openvpn)
|
certidude_setup.add_command(certidude_setup_openvpn)
|
||||||
certidude_setup.add_command(certidude_setup_strongswan)
|
certidude_setup.add_command(certidude_setup_strongswan)
|
||||||
certidude_setup.add_command(certidude_setup_nginx)
|
certidude_setup.add_command(certidude_setup_nginx)
|
||||||
|
certidude_setup.add_command(certidude_setup_yubikey)
|
||||||
entry_point.add_command(certidude_setup)
|
entry_point.add_command(certidude_setup)
|
||||||
entry_point.add_command(certidude_serve)
|
entry_point.add_command(certidude_serve)
|
||||||
entry_point.add_command(certidude_request)
|
entry_point.add_command(certidude_request)
|
||||||
|
Loading…
Reference in New Issue
Block a user