lauri/certidude
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude synced 2024-11-10 15:10:35 +00:00
Code Issues Activity

Major refactoring, CA is associated with it's hostname now

Browse Source
This commit is contained in:
Lauri Võsandi 2015-11-15 15:55:26 +01:00
parent e6f050c257
commit f893582338
23 changed files with 424 additions and 533 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
README.rst
View File

@ -83,11 +83,20 @@ Create a system user for ``certidude``:
Setting up CA Setting up CA
-------------- --------------
Certidude can set up CA relatively easily: First make sure the machine used for CA has fully qualified
domain name set up properly.
You can check it with:
hostname -f
The command should return ca.example.co
Certidude can set up CA relatively easily, following will set up
CA in /var/lib/certidude/hostname.domain:
.. code:: bash .. code:: bash
certidude setup authority /path/to/directory certidude setup authority
Tweak command-line options until you meet your requirements and Tweak command-line options until you meet your requirements and
then insert generated section to your /etc/ssl/openssl.cnf then insert generated section to your /etc/ssl/openssl.cnf
@ -112,7 +121,7 @@ Use following command to request a certificate on a machine:
.. code:: .. code::
certidude setup client http://certidude-hostname-or-ip:perhaps-port/api/ca-name/ certidude setup client ca.example.com
Use following to list signing requests, certificates and revoked certificates: Use following to list signing requests, certificates and revoked certificates:
@ -185,20 +194,26 @@ configure the site in /etc/nginx/sites-available.d/certidude:
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server ipv6only=on; listen [::]:80 default_server ipv6only=on;
location ~ /event/publish/(.*) { location /pub {
allow 127.0.0.1; # Allow publishing only from this IP address allow 127.0.0.1; # Allow publishing only from CA machine
push_stream_publisher admin; push_stream_publisher admin;
push_stream_channels_path $1; push_stream_channels_path $arg_id;
} }
location ~ /event/subscribe/(.*) { location ~ "^/lp/(.*)" {
push_stream_channels_path $1; push_stream_channels_path $1;
push_stream_subscriber long-polling; push_stream_subscriber long-polling;
} }
location ~ "^/ev/(.*)" {
push_stream_channels_path $1;
push_stream_subscriber eventsource;
}
location / { location / {
include uwsgi_params; proxy_pass http://ca.koodur.com/;
uwsgi_pass certidude_api; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
} }
} }
@ -239,8 +254,7 @@ Also adjust ``/etc/nginx/nginx.conf``:
In your CA ssl.cnf make sure Certidude is aware of your nginx setup: In your CA ssl.cnf make sure Certidude is aware of your nginx setup:
publish_certificate_url = http://push.example.com/event/publish/%(request_sha1sum)s push_server = http://push.example.com/
subscribe_certificate_url = http://push.example.com/event/subscribe/%(request_sha1sum)s
Restart the services: Restart the services:
@ -338,7 +352,7 @@ Create ``/etc/NetworkManager/dispatcher.d/certidude`` with following content:
case "$2" in case "$2" in
up) up)
LANG=C.UTF-8 /usr/local/bin/certidude setup strongswan networkmanager http://ca.example.org/api/laptops/ gateway.example.org LANG=C.UTF-8 /usr/local/bin/certidude setup strongswan networkmanager ca.example.com gateway.example.com
;; ;;
esac esac

251
certidude/api.py
View File

@ -21,22 +21,45 @@ env = Environment(loader=PackageLoader("certidude", "templates"))
RE_HOSTNAME = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$" RE_HOSTNAME = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$"
OIDS = {
(2, 5, 4, 3) : 'CN', # common name
(2, 5, 4, 6) : 'C', # country
(2, 5, 4, 7) : 'L', # locality
(2, 5, 4, 8) : 'ST', # stateOrProvince
(2, 5, 4, 10) : 'O', # organization
(2, 5, 4, 11) : 'OU', # organizationalUnit
}
def parse_dn(data):
chunks, remainder = decoder.decode(data)
dn = ""
if remainder:
raise ValueError()
# TODO: Check for duplicate entries?
def generate():
for chunk in chunks:
for chunkette in chunk:
key, value = chunkette
yield str(OIDS[key] + "=" + value)
return ", ".join(generate())
def omit(**kwargs): def omit(**kwargs):
return dict([(key,value) for (key, value) in kwargs.items() if value]) return dict([(key,value) for (key, value) in kwargs.items() if value])
def event_source(func): def event_source(func):
def wrapped(self, req, resp, ca, *args, **kwargs): def wrapped(self, req, resp, *args, **kwargs):
if req.get_header("Accept") == "text/event-stream": if req.get_header("Accept") == "text/event-stream":
resp.status = falcon.HTTP_SEE_OTHER resp.status = falcon.HTTP_SEE_OTHER
resp.location = ca.push_server + "/ev/" + ca.uuid resp.location = req.context.get("ca").push_server + "/ev/" + req.context.get("ca").uuid
resp.body = "Redirecting to:" + resp.location resp.body = "Redirecting to:" + resp.location
print("Delegating EventSource handling to:", resp.location) print("Delegating EventSource handling to:", resp.location)
return func(self, req, resp, ca, *args, **kwargs) return func(self, req, resp, *args, **kwargs)
return wrapped return wrapped
def authorize_admin(func): def authorize_admin(func):
def wrapped(self, req, resp, *args, **kwargs): def wrapped(self, req, resp, *args, **kwargs):
authority = kwargs.get("ca") authority = req.context.get("ca")
# Parse remote IPv4/IPv6 address # Parse remote IPv4/IPv6 address
remote_addr = ipaddress.ip_network(req.env["REMOTE_ADDR"]) remote_addr = ipaddress.ip_network(req.env["REMOTE_ADDR"])
@ -50,19 +73,19 @@ def authorize_admin(func):
raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % remote_addr) raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % remote_addr)
# Check for username whitelist # Check for username whitelist
kerberos_username, kerberos_realm = kwargs.get("user") kerberos_username, kerberos_realm = req.context.get("user")
if kerberos_username not in authority.admin_users: if kerberos_username not in authority.admin_users:
raise falcon.HTTPForbidden("Forbidden", "User %s not whitelisted" % kerberos_username) raise falcon.HTTPForbidden("Forbidden", "User %s not whitelisted" % kerberos_username)
# Retain username, TODO: Better abstraction with username, e-mail, sn, gn? # Retain username, TODO: Better abstraction with username, e-mail, sn, gn?
kwargs["user"] = kerberos_username
return func(self, req, resp, *args, **kwargs) return func(self, req, resp, *args, **kwargs)
return wrapped return wrapped
def pop_certificate_authority(func): def pop_certificate_authority(func):
def wrapped(self, req, resp, *args, **kwargs): def wrapped(self, req, resp, *args, **kwargs):
kwargs["ca"] = self.config.instantiate_authority(kwargs["ca"]) req.context["ca"] = self.config.instantiate_authority(req.env["HTTP_HOST"])
return func(self, req, resp, *args, **kwargs) return func(self, req, resp, *args, **kwargs)
return wrapped return wrapped
@ -111,7 +134,7 @@ class MyEncoder(json.JSONEncoder):
if isinstance(obj, CertificateAuthority): if isinstance(obj, CertificateAuthority):
return dict( return dict(
event_channel = obj.push_server + "/ev/" + obj.uuid, event_channel = obj.push_server + "/ev/" + obj.uuid,
slug = obj.slug, common_name = obj.common_name,
certificate = obj.certificate, certificate = obj.certificate,
admin_users = obj.admin_users, admin_users = obj.admin_users,
autosign_subnets = obj.autosign_subnets, autosign_subnets = obj.autosign_subnets,
@ -137,12 +160,12 @@ def serialize(func):
resp.set_header("Expires", "0"); resp.set_header("Expires", "0");
r = func(instance, req, resp, **kwargs) r = func(instance, req, resp, **kwargs)
if resp.body is None: if resp.body is None:
if not req.client_accepts_json: if req.get_header("Accept").split(",")[0] == "application/json":
raise falcon.HTTPUnsupportedMediaType( resp.set_header("Content-Type", "application/json")
"This API only supports the JSON media type.", resp.append_header("Content-Disposition", "inline")
href="http://docs.examples.com/api/json") resp.body = json.dumps(r, cls=MyEncoder)
resp.set_header("Content-Type", "application/json") else:
resp.body = json.dumps(r, cls=MyEncoder) resp.body = repr(r)
return r return r
return wrapped return wrapped
@ -162,7 +185,6 @@ def templatize(path):
resp.set_header("Content-Type", "application/json") resp.set_header("Content-Type", "application/json")
r.pop("req") r.pop("req")
r.pop("resp") r.pop("resp")
r.pop("user")
resp.body = json.dumps(r, cls=MyEncoder) resp.body = json.dumps(r, cls=MyEncoder)
return r return r
else: else:
@ -180,59 +202,39 @@ class CertificateAuthorityBase(object):
class RevocationListResource(CertificateAuthorityBase): class RevocationListResource(CertificateAuthorityBase):
@pop_certificate_authority @pop_certificate_authority
def on_get(self, req, resp, ca): def on_get(self, req, resp):
resp.set_header("Content-Type", "application/x-pkcs7-crl") resp.set_header("Content-Type", "application/x-pkcs7-crl")
resp.append_header("Content-Disposition", "attachment; filename=%s.crl" % ca.slug) resp.append_header("Content-Disposition", "attachment; filename=%s.crl" % req.context.get("ca").common_name)
resp.body = ca.export_crl() resp.body = req.context.get("ca").export_crl()
class SignedCertificateDetailResource(CertificateAuthorityBase): class SignedCertificateDetailResource(CertificateAuthorityBase):
@serialize
@pop_certificate_authority @pop_certificate_authority
@validate_common_name @validate_common_name
def on_get(self, req, resp, ca, cn): def on_get(self, req, resp, cn):
path = os.path.join(ca.signed_dir, cn + ".pem") path = os.path.join(req.context.get("ca").signed_dir, cn + ".pem")
if not os.path.exists(path): if not os.path.exists(path):
raise falcon.HTTPNotFound() raise falcon.HTTPNotFound()
resp.stream = open(path, "rb")
resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % cn) resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % cn)
return Certificate(open(path))
@login_required @login_required
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
@validate_common_name @validate_common_name
def on_delete(self, req, resp, ca, cn, user): def on_delete(self, req, resp, cn):
ca.revoke(cn) req.context.get("ca").revoke(cn)
class LeaseResource(CertificateAuthorityBase): class LeaseResource(CertificateAuthorityBase):
@serialize @serialize
@login_required @login_required
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
def on_get(self, req, resp, ca, user): def on_get(self, req, resp):
from ipaddress import ip_address from ipaddress import ip_address
OIDS = {
(2, 5, 4, 3) : 'CN', # common name
(2, 5, 4, 6) : 'C', # country
(2, 5, 4, 7) : 'L', # locality
(2, 5, 4, 8) : 'ST', # stateOrProvince
(2, 5, 4, 10) : 'O', # organization
(2, 5, 4, 11) : 'OU', # organizationalUnit
}
def parse_dn(data):
chunks, remainder = decoder.decode(data)
dn = ""
if remainder:
raise ValueError()
# TODO: Check for duplicate entries?
def generate():
for chunk in chunks:
for chunkette in chunk:
key, value = chunkette
yield str(OIDS[key] + "=" + value)
return ", ".join(generate())
# BUGBUG # BUGBUG
SQL_LEASES = """ SQL_LEASES = """
SELECT SELECT
@ -249,17 +251,18 @@ class LeaseResource(CertificateAuthorityBase):
WHERE WHERE
addresses.released <> 1 addresses.released <> 1
""" """
cnx = ca.database.get_connection() cnx = req.context.get("ca").database.get_connection()
cursor = cnx.cursor(dictionary=True) cursor = cnx.cursor()
query = (SQL_LEASES) query = (SQL_LEASES)
cursor.execute(query) cursor.execute(query)
for row in cursor: for acquired, released, address, identity in cursor:
row["acquired"] = datetime.utcfromtimestamp(row["acquired"]) yield {
row["released"] = datetime.utcfromtimestamp(row["released"]) if row["released"] else None "acquired": datetime.utcfromtimestamp(acquired),
row["address"] = ip_address(bytes(row["address"])) "released": datetime.utcfromtimestamp(released) if released else None,
row["identity"] = parse_dn(bytes(row["identity"])) "address": ip_address(bytes(address)),
yield row "identity": parse_dn(bytes(identity))
}
class SignedCertificateListResource(CertificateAuthorityBase): class SignedCertificateListResource(CertificateAuthorityBase):
@ -267,7 +270,7 @@ class SignedCertificateListResource(CertificateAuthorityBase):
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
@validate_common_name @validate_common_name
def on_get(self, req, resp, ca): def on_get(self, req, resp):
for j in authority.get_signed(): for j in authority.get_signed():
yield omit( yield omit(
key_type=j.key_type, key_type=j.key_type,
@ -283,29 +286,31 @@ class SignedCertificateListResource(CertificateAuthorityBase):
class RequestDetailResource(CertificateAuthorityBase): class RequestDetailResource(CertificateAuthorityBase):
@serialize
@pop_certificate_authority @pop_certificate_authority
@validate_common_name @validate_common_name
def on_get(self, req, resp, ca, cn): def on_get(self, req, resp, cn):
""" """
Fetch certificate signing request as PEM Fetch certificate signing request as PEM
""" """
path = os.path.join(ca.request_dir, cn + ".pem") path = os.path.join(req.context.get("ca").request_dir, cn + ".pem")
if not os.path.exists(path): if not os.path.exists(path):
raise falcon.HTTPNotFound() raise falcon.HTTPNotFound()
resp.stream = open(path, "rb")
resp.append_header("Content-Type", "application/x-x509-user-cert") resp.append_header("Content-Type", "application/x-x509-user-cert")
resp.append_header("Content-Disposition", "attachment; filename=%s.csr" % cn) resp.append_header("Content-Disposition", "attachment; filename=%s.csr" % cn)
return Request(open(path))
@login_required @login_required
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
@validate_common_name @validate_common_name
def on_patch(self, req, resp, ca, cn, user): def on_patch(self, req, resp, cn):
""" """
Sign a certificate signing request Sign a certificate signing request
""" """
csr = ca.get_request(cn) csr = req.context.get("ca").get_request(cn)
cert = ca.sign(csr, overwrite=True, delete=True) cert = req.context.get("ca").sign(csr, overwrite=True, delete=True)
os.unlink(csr.path) os.unlink(csr.path)
resp.body = "Certificate successfully signed" resp.body = "Certificate successfully signed"
resp.status = falcon.HTTP_201 resp.status = falcon.HTTP_201
@ -314,15 +319,16 @@ class RequestDetailResource(CertificateAuthorityBase):
@login_required @login_required
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
def on_delete(self, req, resp, ca, cn, user): def on_delete(self, req, resp, cn):
ca.delete_request(cn) req.context.get("ca").delete_request(cn)
class RequestListResource(CertificateAuthorityBase): class RequestListResource(CertificateAuthorityBase):
@serialize @serialize
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
def on_get(self, req, resp, ca): def on_get(self, req, resp):
for j in ca.get_requests(): for j in req.context.get("ca").get_requests():
yield omit( yield omit(
key_type=j.key_type, key_type=j.key_type,
key_length=j.key_length, key_length=j.key_length,
@ -336,12 +342,13 @@ class RequestListResource(CertificateAuthorityBase):
fingerprint=j.fingerprint()) fingerprint=j.fingerprint())
@pop_certificate_authority @pop_certificate_authority
def on_post(self, req, resp, ca): def on_post(self, req, resp):
""" """
Submit certificate signing request (CSR) in PEM format Submit certificate signing request (CSR) in PEM format
""" """
# Parse remote IPv4/IPv6 address # Parse remote IPv4/IPv6 address
remote_addr = ipaddress.ip_network(req.env["REMOTE_ADDR"]) remote_addr = ipaddress.ip_network(req.env["REMOTE_ADDR"])
ca = req.context.get("ca")
# Check for CSR submission whitelist # Check for CSR submission whitelist
if ca.request_subnets: if ca.request_subnets:
@ -415,12 +422,11 @@ class RequestListResource(CertificateAuthorityBase):
resp.status = falcon.HTTP_202 resp.status = falcon.HTTP_202
class CertificateStatusResource(CertificateAuthorityBase): class CertificateStatusResource(CertificateAuthorityBase):
""" """
openssl ocsp -issuer CAcert_class1.pem -serial 0x<serial no in hex> -url http://localhost -CAfile cacert_both.pem openssl ocsp -issuer CAcert_class1.pem -serial 0x<serial no in hex> -url http://localhost -CAfile cacert_both.pem
""" """
def on_post(self, req, resp, ca): def on_post(self, req, resp):
ocsp_request = req.stream.read(req.content_length) ocsp_request = req.stream.read(req.content_length)
for component in decoder.decode(ocsp_request): for component in decoder.decode(ocsp_request):
click.echo(component) click.echo(component)
@ -430,10 +436,10 @@ class CertificateStatusResource(CertificateAuthorityBase):
class CertificateAuthorityResource(CertificateAuthorityBase): class CertificateAuthorityResource(CertificateAuthorityBase):
@pop_certificate_authority @pop_certificate_authority
def on_get(self, req, resp, ca): def on_get(self, req, resp):
path = os.path.join(ca.certificate.path) path = os.path.join(req.context.get("ca").certificate.path)
resp.stream = open(path, "rb") resp.stream = open(path, "rb")
resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % ca.slug) resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % req.context.get("ca").common_name)
class IndexResource(CertificateAuthorityBase): class IndexResource(CertificateAuthorityBase):
@serialize @serialize
@ -441,45 +447,95 @@ class IndexResource(CertificateAuthorityBase):
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
@event_source @event_source
def on_get(self, req, resp, ca, user): def on_get(self, req, resp):
return ca return req.context.get("ca")
class AuthorityListResource(CertificateAuthorityBase): class SessionResource(CertificateAuthorityBase):
@serialize @serialize
@login_required @login_required
def on_get(self, req, resp, user): def on_get(self, req, resp):
return dict( return dict(
authorities=(self.config.ca_list), # TODO: Check if user is CA admin authorities=(self.config.ca_list), # TODO: Check if user is CA admin
username=user[0] username=req.context.get("user")[0]
) )
def address_to_identity(cnx, addr):
"""
Translate currently online client's IP-address to distinguished name
"""
SQL_LEASES = """
SELECT
acquired,
released,
identities.data as identity
FROM
addresses
RIGHT JOIN
identities
ON
identities.id = addresses.identity
WHERE
address = %s AND
released IS NOT NULL
"""
cursor = cnx.cursor()
query = (SQL_LEASES)
import struct
cursor.execute(query, (struct.pack("!L", int(addr)),))
for acquired, released, identity in cursor:
return {
"acquired": datetime.utcfromtimestamp(acquired),
"identity": parse_dn(bytes(identity))
}
return None
class WhoisResource(CertificateAuthorityBase):
@serialize
@pop_certificate_authority
def on_get(self, req, resp):
identity = address_to_identity(
req.context.get("ca").database.get_connection(),
ipaddress.ip_address(req.get_param("address") or req.env["REMOTE_ADDR"])
)
if identity:
return identity
else:
resp.status = falcon.HTTP_403
resp.body = "Failed to look up node %s" % req.env["REMOTE_ADDR"]
class ApplicationConfigurationResource(CertificateAuthorityBase): class ApplicationConfigurationResource(CertificateAuthorityBase):
@pop_certificate_authority @pop_certificate_authority
@validate_common_name @validate_common_name
def on_get(self, req, resp, ca, cn): def on_get(self, req, resp, cn):
ctx = dict( ctx = dict(
cn = cn, cn = cn,
certificate = ca.get_certificate(cn), certificate = req.context.get("ca").get_certificate(cn),
ca_certificate = open(ca.certificate.path, "r").read()) ca_certificate = open(req.context.get("ca").certificate.path, "r").read())
resp.append_header("Content-Type", "application/ovpn") resp.append_header("Content-Type", "application/ovpn")
resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn) resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn)
resp.body = Template(open("/etc/openvpn/%s.template" % ca.slug).read()).render(ctx) resp.body = Template(open("/etc/openvpn/%s.template" % req.context.get("ca").common_name).read()).render(ctx)
@login_required @login_required
@pop_certificate_authority @pop_certificate_authority
@authorize_admin @authorize_admin
@validate_common_name @validate_common_name
def on_put(self, req, resp, user, ca, cn=None): def on_put(self, req, resp, cn=None):
pkey_buf, req_buf, cert_buf = ca.create_bundle(cn) pkey_buf, req_buf, cert_buf = req.context.get("ca").create_bundle(cn)
ctx = dict( ctx = dict(
private_key = pkey_buf, private_key = pkey_buf,
certificate = cert_buf, certificate = cert_buf,
ca_certificate = ca.certificate.dump()) ca_certificate = req.context.get("ca").certificate.dump())
resp.append_header("Content-Type", "application/ovpn") resp.append_header("Content-Type", "application/ovpn")
resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn) resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn)
resp.body = Template(open("/etc/openvpn/%s.template" % ca.slug).read()).render(ctx) resp.body = Template(open("/etc/openvpn/%s.template" % req.context.get("ca").common_name).read()).render(ctx)
class StaticResource(object): class StaticResource(object):
@ -513,15 +569,20 @@ def certidude_app():
config = CertificateAuthorityConfig() config = CertificateAuthorityConfig()
app = falcon.API() app = falcon.API()
app.add_route("/api/ca/{ca}/ocsp/", CertificateStatusResource(config))
app.add_route("/api/ca/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config)) # Certificate authority API calls
app.add_route("/api/ca/{ca}/certificate/", CertificateAuthorityResource(config)) app.add_route("/api/ocsp/", CertificateStatusResource(config))
app.add_route("/api/ca/{ca}/revoked/", RevocationListResource(config)) app.add_route("/api/signed/{cn}/openvpn", ApplicationConfigurationResource(config))
app.add_route("/api/ca/{ca}/signed/{cn}/", SignedCertificateDetailResource(config)) app.add_route("/api/certificate/", CertificateAuthorityResource(config))
app.add_route("/api/ca/{ca}/signed/", SignedCertificateListResource(config)) app.add_route("/api/revoked/", RevocationListResource(config))
app.add_route("/api/ca/{ca}/request/{cn}/", RequestDetailResource(config)) app.add_route("/api/signed/{cn}/", SignedCertificateDetailResource(config))
app.add_route("/api/ca/{ca}/request/", RequestListResource(config)) app.add_route("/api/signed/", SignedCertificateListResource(config))
app.add_route("/api/ca/{ca}/lease/", LeaseResource(config)) app.add_route("/api/request/{cn}/", RequestDetailResource(config))
app.add_route("/api/ca/{ca}/", IndexResource(config)) app.add_route("/api/request/", RequestListResource(config))
app.add_route("/api/ca/", AuthorityListResource(config)) app.add_route("/api/", IndexResource(config))
app.add_route("/api/session/", SessionResource(config))
# Gateway API calls, should this be moved to separate project?
app.add_route("/api/lease/", LeaseResource(config))
app.add_route("/api/whois/", WhoisResource(config))
return app return app

16
certidude/auth.py
View File

@ -34,35 +34,35 @@ def login_required(func):
if not authorization: if not authorization:
resp.append_header("WWW-Authenticate", "Negotiate") resp.append_header("WWW-Authenticate", "Negotiate")
raise falcon.HTTPUnauthorized("Unauthorized", "No Kerberos ticket offered?") raise falcon.HTTPUnauthorized("Unauthorized", "No Kerberos ticket offered, are you sure you've logged in with domain user account?")
token = ''.join(authorization.split()[1:]) token = ''.join(authorization.split()[1:])
try: try:
result, context = kerberos.authGSSServerInit("HTTP@" + FQDN) result, context = kerberos.authGSSServerInit("HTTP@" + FQDN)
except kerberos.GSSError as ex: except kerberos.GSSError as ex:
raise falcon.HTTPForbidden("Forbidden", "Authentication System Failure: %s(%s)" % (ex[0][0], ex[1][0],)) raise falcon.HTTPForbidden("Forbidden", "Authentication System Failure: %s(%s)" % (ex.args[0][0], ex.args[1][0],))
try: try:
result = kerberos.authGSSServerStep(context, token) result = kerberos.authGSSServerStep(context, token)
except kerberos.GSSError as ex: except kerberos.GSSError as ex:
s = str(dir(ex))
kerberos.authGSSServerClean(context) kerberos.authGSSServerClean(context)
raise falcon.HTTPForbidden("Forbidden", "Bad credentials: %s(%s)" % (ex[0][0], ex[1][0],)) raise falcon.HTTPForbidden("Forbidden", "Bad credentials: %s (%s)" % (ex.args[0][0], ex.args[1][0]))
except kerberos.KrbError as ex: except kerberos.KrbError as ex:
kerberos.authGSSServerClean(context) kerberos.authGSSServerClean(context)
raise falcon.HTTPForbidden("Forbidden", "Bad credentials: %s" % (ex[0],)) raise falcon.HTTPForbidden("Forbidden", "Bad credentials: %s" % (ex.args[0],))
kerberos_user = kerberos.authGSSServerUserName(context).split("@") req.context["user"] = kerberos.authGSSServerUserName(context).split("@")
try: try:
# BUGBUG: https://github.com/02strich/pykerberos/issues/6 # BUGBUG: https://github.com/02strich/pykerberos/issues/6
#kerberos.authGSSServerClean(context) #kerberos.authGSSServerClean(context)
pass pass
except kerberos.GSSError as ex: except kerberos.GSSError as ex:
raise error.LoginFailed('Authentication System Failure %s(%s)' % (ex[0][0], ex[1][0],)) raise error.LoginFailed('Authentication System Failure %s(%s)' % (ex.args[0][0], ex.args[1][0],))
if result == kerberos.AUTH_GSS_COMPLETE: if result == kerberos.AUTH_GSS_COMPLETE:
kwargs["user"] = kerberos_user
return func(resource, req, resp, *args, **kwargs) return func(resource, req, resp, *args, **kwargs)
elif result == kerberos.AUTH_GSS_CONTINUE: elif result == kerberos.AUTH_GSS_CONTINUE:
raise falcon.HTTPUnauthorized("Unauthorized", "Tried GSSAPI") raise falcon.HTTPUnauthorized("Unauthorized", "Tried GSSAPI")

79
certidude/cli.py
View File

@ -52,7 +52,7 @@ SURNAME = None
EMAIL = None EMAIL = None
if USERNAME: if USERNAME:
EMAIL = USERNAME + "@" + HOSTNAME EMAIL = USERNAME + "@" + FQDN
if os.getuid() >= 1000: if os.getuid() >= 1000:
_, _, _, _, gecos, _, _ = pwd.getpwnam(USERNAME) _, _, _, _, gecos, _, _ = pwd.getpwnam(USERNAME)
@ -106,14 +106,14 @@ def certidude_spawn(kill, no_interaction):
ca_loaded = False ca_loaded = False
config = load_config() config = load_config()
for ca in config.all_authorities(): for ca in config.all_authorities():
socket_path = os.path.join(signer_dir, ca.slug + ".sock") socket_path = os.path.join(signer_dir, ca.common_name + ".sock")
pidfile_path = os.path.join(signer_dir, ca.slug + ".pid") pidfile_path = os.path.join(signer_dir, ca.common_name + ".pid")
try: try:
with open(pidfile_path) as fh: with open(pidfile_path) as fh:
pid = int(fh.readline()) pid = int(fh.readline())
os.kill(pid, 0) os.kill(pid, 0)
click.echo("Found process with PID %d for %s" % (pid, ca.slug)) click.echo("Found process with PID %d for %s" % (pid, ca.common_name))
except (ValueError, ProcessLookupError, FileNotFoundError): except (ValueError, ProcessLookupError, FileNotFoundError):
pid = 0 pid = 0
@ -138,9 +138,9 @@ def certidude_spawn(kill, no_interaction):
with open(pidfile_path, "w") as fh: with open(pidfile_path, "w") as fh:
fh.write("%d\n" % os.getpid()) fh.write("%d\n" % os.getpid())
setproctitle("%s spawn %s" % (sys.argv[0], ca.slug)) setproctitle("%s spawn %s" % (sys.argv[0], ca.common_name))
logging.basicConfig( logging.basicConfig(
filename="/var/log/certidude-%s.log" % ca.slug, filename="/var/log/certidude-%s.log" % ca.common_name,
level=logging.INFO) level=logging.INFO)
server = SignServer(socket_path, ca.private_key, ca.certificate.path, server = SignServer(socket_path, ca.private_key, ca.certificate.path,
ca.certificate_lifetime, ca.basic_constraints, ca.key_usage, ca.certificate_lifetime, ca.basic_constraints, ca.key_usage,
@ -524,15 +524,15 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw
@click.command("authority", help="Set up Certificate Authority in a directory") @click.command("authority", help="Set up Certificate Authority in a directory")
@click.option("--parent", "-p", help="Parent CA, none by default") @click.option("--parent", "-p", help="Parent CA, none by default")
@click.option("--common-name", "-cn", default=HOSTNAME, help="Common name, hostname by default") @click.option("--common-name", "-cn", default=FQDN, help="Common name, fully qualified hostname by default")
@click.option("--country", "-c", default="ee", help="Country, Estonia by default") @click.option("--country", "-c", default=None, help="Country, none by default")
@click.option("--state", "-s", default="Harjumaa", help="State or country, Harjumaa by default") @click.option("--state", "-s", default=None, help="State or country, none by default")
@click.option("--locality", "-l", default="Tallinn", help="City or locality, Tallinn by default") @click.option("--locality", "-l", default=None, help="City or locality, none by default")
@click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 7300 days (20 years) by default") @click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 7300 days (20 years) by default")
@click.option("--certificate-lifetime", default=5*365, help="Certificate lifetime in days, 1825 days (5 years) by default") @click.option("--certificate-lifetime", default=5*365, help="Certificate lifetime in days, 1825 days (5 years) by default")
@click.option("--revocation-list-lifetime", default=1, help="Revocation list lifetime in days, 1 day by default") @click.option("--revocation-list-lifetime", default=1, help="Revocation list lifetime in days, 1 day by default")
@click.option("--organization", "-o", default="Example LLC", help="Company or organization name") @click.option("--organization", "-o", default=None, help="Company or organization name")
@click.option("--organizational-unit", "-ou", default="Certification Department") @click.option("--organizational-unit", "-ou", default=None)
@click.option("--pkcs11", default=False, is_flag=True, help="Use PKCS#11 token instead of files") @click.option("--pkcs11", default=False, is_flag=True, help="Use PKCS#11 token instead of files")
@click.option("--crl-distribution-url", default=None, help="CRL distribution URL") @click.option("--crl-distribution-url", default=None, help="CRL distribution URL")
@click.option("--ocsp-responder-url", default=None, help="OCSP responder URL") @click.option("--ocsp-responder-url", default=None, help="OCSP responder URL")
@ -540,17 +540,14 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw
@click.option("--inbox", default="imap://user:pass@host:port/INBOX", help="Inbound e-mail server") @click.option("--inbox", default="imap://user:pass@host:port/INBOX", help="Inbound e-mail server")
@click.option("--outbox", default="smtp://localhost", help="Outbound e-mail server") @click.option("--outbox", default="smtp://localhost", help="Outbound e-mail server")
@click.option("--push-server", default="", help="Streaming nginx push server") @click.option("--push-server", default="", help="Streaming nginx push server")
@click.argument("directory") @click.option("--directory", default=None, help="Directory for authority files, /var/lib/certidude/<common-name>/ by default")
def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox, push_server): def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox, push_server):
publish_certificate_url = push_server + "/publish/%(request_sha1sum)s" if not directory:
subscribe_certificate_url = push_server + "/subscribe/%(request_sha1sum)s" directory = os.path.join("/var/lib/certidude", common_name)
slug = os.path.basename(directory[:-1] if directory.endswith('/') else directory) # Make sure common_name is valid
if not slug: if not re.match(r"^[\._a-zA-Z0-9]+$", common_name):
raise click.ClickException("Please supply proper target path")
# Make sure slug is valid
if not re.match(r"^[_a-zA-Z0-9]+$", slug):
raise click.ClickException("CA name can contain only alphanumeric and '_' characters") raise click.ClickException("CA name can contain only alphanumeric and '_' characters")
if os.path.lexists(directory): if os.path.lexists(directory):
@ -567,7 +564,7 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
key.generate_key(crypto.TYPE_RSA, 4096) key.generate_key(crypto.TYPE_RSA, 4096)
if not crl_distribution_url: if not crl_distribution_url:
crl_distribution_url = "http://%s/api/%s/revoked/" % (common_name, slug) crl_distribution_url = "http://%s/api/revoked/" % common_name
# File paths # File paths
ca_key = os.path.join(directory, "ca_key.pem") ca_key = os.path.join(directory, "ca_key.pem")
@ -579,11 +576,18 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
ca.set_version(2) # This corresponds to X.509v3 ca.set_version(2) # This corresponds to X.509v3
ca.set_serial_number(1) ca.set_serial_number(1)
ca.get_subject().CN = common_name ca.get_subject().CN = common_name
ca.get_subject().C = country
ca.get_subject().ST = state if country:
ca.get_subject().L = locality ca.get_subject().C = country
ca.get_subject().O = organization if state:
ca.get_subject().OU = organizational_unit ca.get_subject().ST = state
if locality:
ca.get_subject().L = locality
if organization:
ca.get_subject().O = organization
if organizational_unit:
ca.get_subject().OU = organizational_unit
ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(authority_lifetime * 24 * 60 * 60) ca.gmtime_adj_notAfter(authority_lifetime * 24 * 60 * 60)
ca.set_issuer(ca.get_subject()) ca.set_issuer(ca.get_subject())
@ -621,7 +625,7 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
raise NotImplementedError() raise NotImplementedError()
""" """
ocsp_responder_url = "http://%s/api/%s/ocsp/" % (common_name, slug) ocsp_responder_url = "http://%s/api/ocsp/" % common_name
authority_info_access = "OCSP;URI:%s" % ocsp_responder_url authority_info_access = "OCSP;URI:%s" % ocsp_responder_url
ca.add_extensions([ ca.add_extensions([
crypto.X509Extension( crypto.X509Extension(
@ -661,18 +665,19 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
with open(ca_key, "wb") as fh: with open(ca_key, "wb") as fh:
fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
with open(os.path.join(directory, "openssl.cnf.example"), "w") as fh: ssl_cnf_example = os.path.join(directory, "openssl.cnf.example")
with open(ssl_cnf_example, "w") as fh:
fh.write(env.get_template("openssl.cnf").render(locals())) fh.write(env.get_template("openssl.cnf").render(locals()))
click.echo("You need to copy the contents of the 'openssl.cnf.example'") click.echo("You need to copy the contents of the '%s'" % ssl_cnf_example)
click.echo("to system-wide OpenSSL configuration file, usually located") click.echo("to system-wide OpenSSL configuration file, usually located")
click.echo("at /etc/ssl/openssl.cnf") click.echo("at /etc/ssl/openssl.cnf")
click.echo() click.echo()
click.echo("Use following commands to inspect the newly created files:") click.echo("Use following commands to inspect the newly created files:")
click.echo() click.echo()
click.echo(" openssl crl -inform PEM -text -noout -in %s" % ca_crl) click.echo(" openssl crl -inform PEM -text -noout -in %s | less" % ca_crl)
click.echo(" openssl x509 -text -noout -in %s" % ca_crt) click.echo(" openssl x509 -text -noout -in %s | less" % ca_crt)
click.echo(" openssl rsa -check -in %s" % ca_key) click.echo(" openssl rsa -check -in %s" % ca_key)
click.echo(" openssl verify -CAfile %s %s" % (ca_crt, ca_crt)) click.echo(" openssl verify -CAfile %s %s" % (ca_crt, ca_crt))
click.echo() click.echo()
@ -746,7 +751,7 @@ def certidude_list(ca, verbose, show_key_type, show_extensions, show_path, show_
if not hide_requests: if not hide_requests:
for j in ca.get_requests(): for j in ca.get_requests():
if not verbose: if not verbose:
click.echo("s " + j.path + " " + j.distinguished_name) click.echo("s " + j.path + " " + j.identity)
continue continue
click.echo(click.style(j.common_name, fg="blue")) click.echo(click.style(j.common_name, fg="blue"))
click.echo("=" * len(j.common_name)) click.echo("=" * len(j.common_name))
@ -777,11 +782,11 @@ def certidude_list(ca, verbose, show_key_type, show_extensions, show_path, show_
for j in ca.get_signed(): for j in ca.get_signed():
if not verbose: if not verbose:
if j.signed < NOW and j.expires > NOW: if j.signed < NOW and j.expires > NOW:
click.echo("v " + j.path + " " + j.distinguished_name) click.echo("v " + j.path + " " + j.identity)
elif NOW > j.expires: elif NOW > j.expires:
click.echo("e " + j.path + " " + j.distinguished_name) click.echo("e " + j.path + " " + j.identity)
else: else:
click.echo("y " + j.path + " " + j.distinguished_name) click.echo("y " + j.path + " " + j.identity)
continue continue
click.echo(click.style(j.common_name, fg="blue") + " " + click.style(j.serial_number_hex, fg="white")) click.echo(click.style(j.common_name, fg="blue") + " " + click.style(j.serial_number_hex, fg="white"))
@ -803,7 +808,7 @@ def certidude_list(ca, verbose, show_key_type, show_extensions, show_path, show_
if show_revoked: if show_revoked:
for j in ca.get_revoked(): for j in ca.get_revoked():
if not verbose: if not verbose:
click.echo("r " + j.path + " " + j.distinguished_name) click.echo("r " + j.path + " " + j.identity)
continue continue
click.echo(click.style(j.common_name, fg="blue") + " " + click.style(j.serial_number_hex, fg="white")) click.echo(click.style(j.common_name, fg="blue") + " " + click.style(j.serial_number_hex, fg="white"))
click.echo("="*(len(j.common_name)+60)) click.echo("="*(len(j.common_name)+60))
@ -869,7 +874,7 @@ def certidude_sign(common_name, overwrite, lifetime):
# Sign directly using private key # Sign directly using private key
cert = ca.sign2(request, overwrite, True, lifetime) cert = ca.sign2(request, overwrite, True, lifetime)
click.echo("Signed %s" % cert.distinguished_name) click.echo("Signed %s" % cert.identity)
for key, value, data in cert.extensions: for key, value, data in cert.extensions:
click.echo("Added extension %s: %s" % (key, value)) click.echo("Added extension %s: %s" % (key, value))
click.echo() click.echo()

7
certidude/helpers.py
View File

@ -40,10 +40,15 @@ def certidude_request_certificate(url, key_path, request_path, certificate_path,
# Set up URL-s # Set up URL-s
request_params = set() request_params = set()
if autosign: if autosign:
request_params.add("autosign=yes") request_params.add("autosign=true")
if wait: if wait:
request_params.add("wait=forever") request_params.add("wait=forever")
# Expand ca.example.com to http://ca.example.com/api/
if not "/" in url:
url += "/api/"
if "//" not in url:
url = "http://" + url
if not url.endswith("/"): if not url.endswith("/"):
url = url + "/" url = url + "/"

14
certidude/signer.py
View File

@ -50,10 +50,14 @@ def raw_sign(private_key, ca_cert, request, basic_constraints, lifetime, key_usa
# raise ValueError("Country mismatch!") # raise ValueError("Country mismatch!")
# Copy attributes from CA # Copy attributes from CA
cert.get_subject().C = ca_cert.get_subject().C if ca_cert.get_subject().C:
cert.get_subject().ST = ca_cert.get_subject().ST cert.get_subject().C = ca_cert.get_subject().C
cert.get_subject().L = ca_cert.get_subject().L if ca_cert.get_subject().ST:
cert.get_subject().O = ca_cert.get_subject().O cert.get_subject().ST = ca_cert.get_subject().ST
if ca_cert.get_subject().L:
cert.get_subject().L = ca_cert.get_subject().L
if ca_cert.get_subject().O:
cert.get_subject().O = ca_cert.get_subject().O
# Copy attributes from request # Copy attributes from request
cert.get_subject().CN = request.get_subject().CN cert.get_subject().CN = request.get_subject().CN
@ -198,7 +202,7 @@ class SignServer(asyncore.dispatcher):
# Dropping privileges # Dropping privileges
_, _, uid, gid, gecos, root, shell = pwd.getpwnam("nobody") _, _, uid, gid, gecos, root, shell = pwd.getpwnam("nobody")
os.chroot("/run/certidude/signer/jail") #os.chroot("/run/certidude/signer/jail")
os.setgid(gid) os.setgid(gid)
os.setuid(uid) os.setuid(uid)

51
certidude/static/authority.html
View File

@ -1,4 +1,4 @@
<h1>{{authority.slug}} management</h1> <h1>{{authority.common_name}} management</h1>
<p>Hi {{session.username}},</p> <p>Hi {{session.username}},</p>
@ -9,51 +9,26 @@
{% set s = authority.certificate.identity %} {% set s = authority.certificate.identity %}
<input id="search" class="icon search" type="search" placeholder="hostname, IP-address, etc"/>
<h1>Pending requests</h1> <h1>Pending requests</h1>
<ul> <ul id="pending_requests">
{% for j in authority.requests %} {% for request in authority.requests %}
{% include "request.html" %} {% include "request.html" %}
{% else %}
<li>Great job! No certificate signing requests to sign.</li>
{% endfor %} {% endfor %}
<li class="notify">
<p>No certificate signing requests to sign! You can submit a certificate signing request by:</p>
<pre>certidude setup client {{authority.common_name}}</pre>
</li>
</ul> </ul>
<h1>Signed certificates</h1> <h1>Signed certificates</h1>
<ul id="signed_certificates"> <ul id="signed_certificates">
{% for j in authority.signed | sort | reverse %} {% for certificate in authority.signed | sort | reverse %}
<li id="certificate_{{ j.sha256sum }}" data-dn="{{ j.identity }}"> {% include "signed.html" %}
<a class="button icon download" href="/api/ca/{{authority.slug}}/signed/{{j.common_name}}/">Fetch</a>
<button class="icon revoke" onClick="javascript:$(this).addClass('busy');$.ajax({url:'/api/ca/{{authority.slug}}/signed/{{j.common_name}}/',type:'delete'});">Revoke</button>
<div class="monospace">
{% include 'img/iconmonstr-certificate-15-icon.svg' %}
{{j.identity}}
</div>
{% if j.email_address %}
<div class="email">{% include 'img/iconmonstr-email-2-icon.svg' %} {{ j.email_address }}</div>
{% endif %}
<div class="monospace">
{% include 'img/iconmonstr-key-2-icon.svg' %}
<span title="SHA-256 of public key">
{{ j.sha256sum }}
</span>
{{ j.key_length }}-bit
{{ j.key_type }}
</div>
<div>
{% include 'img/iconmonstr-flag-3-icon.svg' %}
{{j.key_usage}}
</div>
<div class="status">
{% include 'status.html' %}
</div>
</li>
{% endfor %} {% endfor %}
</ul> </ul>
@ -61,7 +36,7 @@
<p>To fetch certificate revocation list:</p> <p>To fetch certificate revocation list:</p>
<pre> <pre>
curl {{request.url}}/revoked/ | openssl crl -text -noout curl {{window.location.href}}api/revoked/ | openssl crl -text -noout
</pre> </pre>
<!-- <!--
<p>To perform online certificate status request</p> <p>To perform online certificate status request</p>

25
certidude/static/css/style.css
View File

@ -35,18 +35,36 @@ ul {
padding: 0; padding: 0;
} }
#pending_requests .notify {
display: none;
}
#pending_requests .notify:only-child {
display: block;
}
button, .button, input[type='search'], input[type='text'] {
border: 1pt solid #ccc;
border-radius: 6px;
}
button, .button { button, .button {
color: #000; color: #000;
float: right; float: right;
border: 1pt solid #ccc;
background-color: #eee; background-color: #eee;
border-radius: 6px;
margin: 2px; margin: 2px;
padding: 6px 12px; padding: 6px 12px;
background-position: 6px; background-position: 6px;
box-sizing: border-box; box-sizing: border-box;
} }
input[type='search'], input[type='text'] {
padding: 4px 4px 4px 36px;
background-position: 6px;
width: 100%;
}
button:disabled, .button:disabled { button:disabled, .button:disabled {
color: #888; color: #888;
} }
@ -108,7 +126,7 @@ h2 svg {
top: 16px; top: 16px;
} }
p, td, footer, li, button { p, td, footer, li, button, input {
font-family: 'PT Sans Narrow'; font-family: 'PT Sans Narrow';
font-size: 14pt; font-size: 14pt;
} }
@ -155,6 +173,7 @@ li {
.icon.revoke { background-image: url("../img/iconmonstr-x-mark-5-icon.svg"); } .icon.revoke { background-image: url("../img/iconmonstr-x-mark-5-icon.svg"); }
.icon.download { background-image: url("../img/iconmonstr-download-12-icon.svg"); } .icon.download { background-image: url("../img/iconmonstr-download-12-icon.svg"); }
.icon.sign { background-image: url("../img/iconmonstr-pen-10-icon.svg"); } .icon.sign { background-image: url("../img/iconmonstr-pen-10-icon.svg"); }
.icon.search { background-image: url("../img/iconmonstr-magnifier-4-icon.svg"); }
/* Make sure this is the last one */ /* Make sure this is the last one */
.icon.busy{background-image:url("https://software.opensuse.org/assets/ajax-loader-ea46060b6c9f42822a3d58d075c83ea2.gif");} .icon.busy{background-image:url("https://software.opensuse.org/assets/ajax-loader-ea46060b6c9f42822a3d58d075c83ea2.gif");}

2
certidude/static/error.html Normal file
View File

@ -0,0 +1,2 @@
<h1>{{ message.title }}</h1>
<p>{{ message.description }}</p>

27
certidude/static/img/iconmonstr-magnifier-4-icon.svg Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- The icon can be used freely in both personal and commercial projects with no attribution required, but always appreciated.
You may NOT sub-license, resell, rent, redistribute or otherwise transfer the icon without express written permission from iconmonstr.com -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="512px" height="512px" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
<path id="magnifier-4-icon" d="M448.225,394.243l-85.387-85.385c16.55-26.081,26.146-56.986,26.146-90.094
c0-92.989-75.652-168.641-168.643-168.641c-92.989,0-168.641,75.652-168.641,168.641s75.651,168.641,168.641,168.641
c31.465,0,60.939-8.67,86.175-23.735l86.14,86.142C429.411,486.566,485.011,431.029,448.225,394.243z M103.992,218.764
c0-64.156,52.192-116.352,116.35-116.352s116.353,52.195,116.353,116.352s-52.195,116.352-116.353,116.352
S103.992,282.92,103.992,218.764z M138.455,188.504c34.057-78.9,148.668-69.752,170.248,12.862
C265.221,150.329,188.719,144.834,138.455,188.504z"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

1
certidude/static/index.html
View File

@ -8,6 +8,7 @@
<script type="text/javascript" src="/js/jquery-2.1.4.min.js"></script> <script type="text/javascript" src="/js/jquery-2.1.4.min.js"></script>
<script type="text/javascript" src="/js/nunjucks.min.js"></script> <script type="text/javascript" src="/js/nunjucks.min.js"></script>
<script type="text/javascript" src="/js/certidude.js"></script> <script type="text/javascript" src="/js/certidude.js"></script>
<link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon">
</head> </head>
<body> <body>
<div id="container"> <div id="container">

51
certidude/static/js/certidude.js
View File

@ -3,8 +3,16 @@ $(document).ready(function() {
$.ajax({ $.ajax({
method: "GET", method: "GET",
url: "/api/ca/", url: "/api/session/",
dataType: "json", dataType: "json",
error: function(response) {
if (response.responseJSON) {
var msg = response.responseJSON
} else {
var msg = { title: "Error " + response.status, description: response.statusText }
}
$("#container").html(nunjucks.render('error.html', { message: msg }));
},
success: function(session, status, xhr) { success: function(session, status, xhr) {
console.info("Loaded CA list:", session); console.info("Loaded CA list:", session);
@ -15,7 +23,7 @@ $(document).ready(function() {
$.ajax({ $.ajax({
method: "GET", method: "GET",
url: "/api/ca/" + session.authorities[0], url: "/api/",
dataType: "json", dataType: "json",
success: function(authority, status, xhr) { success: function(authority, status, xhr) {
console.info("Got CA:", authority); console.info("Got CA:", authority);
@ -61,12 +69,33 @@ $(document).ready(function() {
source.addEventListener("request_submitted", function(e) { source.addEventListener("request_submitted", function(e) {
console.log("Request submitted:", e.data); console.log("Request submitted:", e.data);
$.ajax({
method: "GET",
url: "/api/request/lauri-c720p/",
dataType: "json",
success: function(request, status, xhr) {
console.info(request);
$("#pending_requests").prepend(
nunjucks.render('request.html', { request: request }));
}
});
}); });
source.addEventListener("request_signed", function(e) { source.addEventListener("request_signed", function(e) {
console.log("Request signed:", e.data); console.log("Request signed:", e.data);
$("#request_" + e.data).slideUp("normal", function() { $(this).remove(); }); $("#request_" + e.data).slideUp("normal", function() { $(this).remove(); });
// TODO: Insert <li> to signed certs list
$.ajax({
method: "GET",
url: "/api/signed/lauri-c720p/",
dataType: "json",
success: function(certificate, status, xhr) {
console.info(certificate);
$("#signed_certificates").prepend(
nunjucks.render('signed.html', { certificate: certificate }));
}
});
}); });
source.addEventListener("certificate_revoked", function(e) { source.addEventListener("certificate_revoked", function(e) {
@ -74,11 +103,11 @@ $(document).ready(function() {
$("#certificate_" + e.data).slideUp("normal", function() { $(this).remove(); }); $("#certificate_" + e.data).slideUp("normal", function() { $(this).remove(); });
}); });
$("#container").html(nunjucks.render('authority.html', { authority: authority, session: session })); $("#container").html(nunjucks.render('authority.html', { authority: authority, session: session, window: window }));
$.ajax({ $.ajax({
method: "GET", method: "GET",
url: "/api/ca/" + authority.slug + "/lease/", url: "/api/lease/",
dataType: "json", dataType: "json",
success: function(leases, status, xhr) { success: function(leases, status, xhr) {
console.info("Got leases:", leases); console.info("Got leases:", leases);
@ -96,6 +125,18 @@ $(document).ready(function() {
released: leases[j].released ? new Date(leases[j].released).toLocaleString() : null released: leases[j].released ? new Date(leases[j].released).toLocaleString() : null
}})); }}));
} }
/* Set up search box */
$("#search").on("keyup", function() {
var q = $("#search").val().toLowerCase();
$(".filterable").each(function(i, e) {
if ($(e).attr("data-dn").toLowerCase().indexOf(q) >= 0) {
$(e).show();
} else {
$(e).hide();
}
});
});
} }
}); });
} }

26
certidude/static/request.html
View File

@ -1,37 +1,37 @@
<li id="request_{{ j.md5sum }}"> <li id="request_{{ request.sha256sum }}" class="filterable">
<a class="button icon download" href="/api/ca/{{authority.slug}}/request/{{j.common_name}}/">Fetch</a> <a class="button icon download" href="/api/request/{{request.common_name}}/">Fetch</a>
{% if j.signable %} {% if request.signable %}
<button class="icon sign" onClick="javascript:$(this).addClass('busy');$.ajax({url:'/api/ca/{{authority.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button> <button class="icon sign" onClick="javascript:$(this).addClass('busy');$.ajax({url:'/api/request/{{request.common_name}}/',type:'patch'});">Sign</button>
{% else %} {% else %}
<button title="Please use certidude command-line utility to sign unusual requests" disabled>Sign</button> <button title="Please use certidude command-line utility to sign unusual requests" disabled>Sign</button>
{% endif %} {% endif %}
<button class="icon revoke" onClick="javascript:$(this).addClass('busy');$.ajax({url:'/api/ca/{{authority.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button> <button class="icon revoke" onClick="javascript:$(this).addClass('busy');$.ajax({url:'/api/request/{{request.common_name}}/',type:'delete'});">Delete</button>
<div class="monospace"> <div class="monospace">
{% include 'img/iconmonstr-certificate-15-icon.svg' %} {% include 'img/iconmonstr-certificate-15-icon.svg' %}
{{j.identity}} {{request.identity}}
</div> </div>
{% if j.email_address %} {% if request.email_address %}
<div class="email">{% include 'img/iconmonstr-email-2-icon.svg' %} {{ j.email_address }}</div> <div class="email">{% include 'img/iconmonstr-email-2-icon.svg' %} {{ request.email_address }}</div>
{% endif %} {% endif %}
<div class="monospace"> <div class="monospace">
{% include 'img/iconmonstr-key-2-icon.svg' %} {% include 'img/iconmonstr-key-2-icon.svg' %}
<span title="SHA-1 of public key"> <span title="SHA-1 of public key">
{{ j.sha256sum }} {{ request.sha256sum }}
</span> </span>
{{ j.key_length }}-bit {{ request.key_length }}-bit
{{ j.key_type }} {{ request.key_type }}
</div> </div>
{% set key_usage = j.key_usage %} {% set key_usage = request.key_usage %}
{% if key_usage %} {% if key_usage %}
<div> <div>
{% include 'img/iconmonstr-flag-3-icon.svg' %} {% include 'img/iconmonstr-flag-3-icon.svg' %}
{{j.key_usage}} {{request.key_usage}}
</div> </div>
{% endif %} {% endif %}

31
certidude/static/signed.html Normal file
View File

@ -0,0 +1,31 @@
<li id="certificate_{{ certificate.sha256sum }}" data-dn="{{ certificate.identity }}" class="filterable">
<a class="button icon download" href="/api/signed/{{certificate.common_name}}/">Fetch</a>
<button class="icon revoke" onClick="javascript:$(this).addClass('busy');$.ajax({url:'/api/signed/{{certificate.common_name}}/',type:'delete'});">Revoke</button>
<div class="monospace">
{% include 'img/iconmonstr-certificate-15-icon.svg' %}
{{certificate.identity}}
</div>
{% if certificate.email_address %}
<div class="email">{% include 'img/iconmonstr-email-2-icon.svg' %} {{ certificate.email_address }}</div>
{% endif %}
<div class="monospace">
{% include 'img/iconmonstr-key-2-icon.svg' %}
<span title="SHA-256 of public key">
{{ certificate.sha256sum }}
</span>
{{ certificate.key_length }}-bit
{{ certificate.key_type }}
</div>
<div>
{% include 'img/iconmonstr-flag-3-icon.svg' %}
{{certificate.key_usage}}
</div>
<div class="status">
{% include 'status.html' %}
</div>
</li>

0
certidude/templates/__init__.py
View File

35
certidude/templates/iconmonstr-certificate-15-icon.svg
View File

@ -1,35 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- License Agreement at http://iconmonstr.com/license/ -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="32px" height="32px" viewBox="0 0 512 512" style="enable-background:new 0 0 512 512;" xml:space="preserve">
<path id="certificate-15" d="M374.021,384.08c-4.527,29.103-16.648,55.725-36.043,77.92c-1.125-7.912-4.359-15.591-7.428-21.727
c-7.023,3.705-15.439,5.666-22.799,5.666c-1.559,0-3.102-0.084-4.543-0.268c20.586-21.459,30.746-43.688,33.729-73.294
c4.828,1.341,10.697,2.046,18.072,2.046C362.119,379.285,364.918,382.319,374.021,384.08z M457.709,445.672
c-20.553-21.425-30.596-43.755-33.596-73.327c-4.861,1.358-10.73,2.079-18.207,2.079c-7.107,4.895-10.074,7.93-18.994,9.639
c4.527,29.12,16.648,55.742,36.027,77.938c1.123-7.912,4.359-15.591,7.426-21.727C439.133,444.9,449.795,446.678,457.709,445.672z
M372.01,362.789c-12.088-8.482-9.473-7.678-24.426-7.628c-0.018,0-0.018,0-0.033,0c-6.221,0-11.752-3.872-13.631-9.572
c-4.576-13.68-3.018-11.551-15.088-19.95c-5.18-3.57-7.174-9.907-5.264-15.456c4.695-13.612,4.695-10.997,0-24.677
c-1.877-5.499,0.033-11.869,5.264-15.457c12.07-8.383,10.496-6.27,15.088-19.958c1.879-5.717,7.41-9.564,13.631-9.564
c0.016,0,0.016,0,0.033,0c14.938,0.042,12.322,0.888,24.426-7.628c2.514-1.76,5.465-2.649,8.449-2.649s5.934,0.889,8.449,2.649
c12.086,8.491,9.471,7.678,24.426,7.628c0.016,0,0.016,0,0.016,0c6.236,0,11.77,3.847,13.68,9.564
c4.561,13.654,2.951,11.542,15.055,19.958c3.822,2.632,5.969,6.822,5.969,11.165c0,1.425-0.234,2.884-0.721,4.292
c-4.678,13.612-4.678,10.997,0,24.677c1.91,5.432,0,11.835-5.248,15.456c-12.104,8.399-10.494,6.287-15.055,19.95
c-3.52,10.562-11.266,9.522-20.25,9.522c-7.947,0-7.98,0.721-17.871,7.678C383.879,366.326,377.039,366.326,372.01,362.789z
M380.459,331.641c18.676,0,33.797-15.154,33.797-33.797c0-18.676-15.121-33.797-33.797-33.797s-33.797,15.121-33.797,33.797
C346.662,316.486,361.783,331.641,380.459,331.641z M300.225,354.508c-28.76,18.172-61.131,38.574-67.837,42.799
c-0.737-13.261-5.649-25.6-14.216-35.792c-0.998-1.257-99.79-127.031-123.981-157.987c-19.044-24.358-1.039-50.352,21.106-50.352
c29.078,0,40.662,37.887,15.348,54.3l19.967,25.515l138.247-78.122c23.975-17.712,30.73-50.436,15.691-76.119
C294.156,61.014,274.91,50,254.348,50c-8.155,0-16.068,1.677-23.57,5.013L88.918,127.577C66.58,138.281,54.292,159.27,54.292,181.6
c0,14.015,4.836,28.55,15.062,41.408c24.786,31.165,124.643,158.859,125.641,160.133c14.794,19.682,0.293,47.259-23.621,47.259
c-16.974,0-26.019-12.104-28.608-22.447c-3.018-12.104,1.19-24.157,13.269-31.903l-19.58-25.028
c-14.686,10.327-24.032,26.001-25.876,43.521C106.646,431.857,136.386,462,171.633,462c10.821,0,21.542-2.984,31.014-8.617
l94.158-59.379C301.33,386.896,305.891,369.461,300.225,354.508z M243.25,84.057c3.487-1.635,7.401-2.49,11.315-2.49
c9.909,0,18.577,5.23,23.161,14.007c5.801,11.073,4.191,27.3-10.193,35.548l-91.114,51.609c0-20.453-9.975-39.212-26.957-50.67
L243.25,84.057z M277.35,191.642c5.139,6.32,16.891,20.729,29.613,36.336c5.969-9.019,14.736-15.817,25.062-19.245
c-11.549-14.166-21.775-26.739-26.805-32.883L277.35,191.642z M227.81,329.729l49.288-27.963l-10.863-14.149l-49.145,28.5
L227.81,329.729z M259.428,209.772l-86.042,50.52l10.712,13.596l86.288-50.662L259.428,209.772z M281.516,237.182l-86.429,50.905
l10.713,13.597l86.679-51.048L281.516,237.182z"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.5 KiB

21
certidude/templates/iconmonstr-email-2-icon.svg
View File

@ -1,21 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- The icon can be used freely in both personal and commercial projects with no attribution required, but always appreciated.
You may NOT sub-license, resell, rent, redistribute or otherwise transfer the icon without express written permission from iconmonstr.com -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="32px" height="32px" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
<path id="email-2-icon" d="M49.744,103.407v305.186H50.1h411.156h1V103.407H49.744z M415.533,138.407L255.947,260.465
L96.473,138.407H415.533z M84.744,173.506l85.504,65.441L84.744,324.45V173.506z M85.1,373.593l113.186-113.186l57.654,44.127
l57.375-43.882l112.941,112.94H85.1z M427.256,325.097l-85.896-85.896l85.896-65.695V325.097z"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 982 B

11
certidude/templates/iconmonstr-flag-3-icon.svg
View File

@ -1,11 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- License Agreement at http://iconmonstr.com/license/ -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="32px" height="32px" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
<path id="flag-3-icon" d="M120.204,462H74.085V50h46.119V462z M437.915,80.746c0,0-29.079,25.642-67.324,25.642
c-60.271,0-61.627-51.923-131.596-51.923c-37.832,0-73.106,17.577-88.045,30.381c0,12.64,0,216.762,0,216.762
c21.204-14.696,53.426-30.144,88.286-30.144c66.08,0,75.343,49.388,134.242,49.388c38.042,0,64.437-24.369,64.437-24.369V80.746z"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 786 B

15
certidude/templates/iconmonstr-key-2-icon.svg
View File

@ -1,15 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- The icon can be used freely in both personal and commercial projects with no attribution required, but always appreciated.
You may NOT sub-license, resell, rent, redistribute or otherwise transfer the icon without express written permission from iconmonstr.com -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="32px" height="32px" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
<path id="key-2-icon" stroke="#000000" stroke-miterlimit="10" d="M286.529,325.486l-45.314,45.314h-43.873l0.002,43.872
l-45.746-0.001v41.345l-100.004-0.001l150.078-150.076c-4.578-4.686-10.061-11.391-13.691-17.423L50,426.498v-40.939
l145.736-145.736C212.174,278.996,244.713,310.705,286.529,325.486z M425.646,92.339c48.473,48.473,48.471,127.064-0.002,175.535
c-48.477,48.476-127.061,48.476-175.537,0.001c-48.473-48.472-48.475-127.062,0-175.537
C298.58,43.865,377.172,43.865,425.646,92.339z M400.73,117.165c-12.023-12.021-31.516-12.021-43.537,0
c-12.021,12.022-12.021,31.517,0,43.538s31.514,12.021,43.537-0.001C412.754,148.68,412.75,129.188,400.73,117.165z"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.3 KiB

18
certidude/templates/iconmonstr-time-13-icon.svg
View File

@ -1,18 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- The icon can be used freely in both personal and commercial projects with no attribution required, but always appreciated.
You may NOT sub-license, resell, rent, redistribute or otherwise transfer the icon without express written permission from iconmonstr.com -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="32px" height="32px" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
<path id="time-13-icon" d="M361.629,172.206c15.555-19.627,24.121-44.229,24.121-69.273V50h-259.5v52.933
c0,25.044,8.566,49.646,24.121,69.273l50.056,63.166c9.206,11.617,9.271,27.895,0.159,39.584l-50.768,65.13
c-15.198,19.497-23.568,43.85-23.568,68.571V462h259.5v-53.343c0-24.722-8.37-49.073-23.567-68.571l-50.769-65.13
c-9.112-11.689-9.047-27.967,0.159-39.584L361.629,172.206z M330.634,364.678c11.412,14.64,15.116,29.947,15.116,47.321h-11.096
c-4.586-17.886-31.131-30.642-62.559-47.586c-6.907-3.724-6.096-10.373-6.096-15.205h-20c0,4.18,1.03,11.365-6.106,15.202
c-32.073,17.249-58.274,29.705-62.701,47.589H166.25c0-17.261,3.645-32.605,15.115-47.321l50.769-65.13
c7.109-9.12,11.723-19.484,13.866-30.22v13.38h20V269.33c2.144,10.734,6.758,21.098,13.866,30.218L330.634,364.678z
M197.966,167.862l-16.245-20.5c-11.538-14.56-15.471-30.096-15.471-47.361h179.5c0,17.149-3.872,32.727-15.471,47.361l-16.245,20.5
H197.966z M246,294.458h20v15h-20V294.458z M246,321.958h20v15h-20V321.958z"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 KiB

199
certidude/templates/index.html
View File

@ -1,199 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Certidude server</title>
<link href="/css/style.css" rel="stylesheet" type="text/css"/>
<link href="//fonts.googleapis.com/css?family=Ubuntu+Mono" rel="stylesheet" type="text/css"/>
<link href="//fonts.googleapis.com/css?family=Gentium" rel="stylesheet" type="text/css"/>
<link href="//fonts.googleapis.com/css?family=PT+Sans+Narrow" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="/js/jquery-2.1.4.min.js"></script>
<script type="text/javascript" src="/js/certidude.js"></script>
</head>
<body>
<div id="container">
<h1>Submit signing request</h1>
<p>Hi, {{user}}</p>
<p>Request submission is allowed from: {% if ca.request_subnets %}{% for i in ca.request_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}</p>
<p>Autosign is allowed from: {% if ca.autosign_subnets %}{% for i in ca.autosign_subnets %}{{ i }} {% endfor %}{% else %}nowhere{% endif %}</p>
<p>Authority administration is allowed from: {% if ca.admin_subnets %}{% for i in ca.admin_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}
<p>Authority administration allowed for: {% for i in ca.admin_users %}{{ i }} {% endfor %}</p>
<h2>IPsec gateway on OpenWrt</h2>
{% set s = ca.certificate.subject %}
<pre>
opkg update
opkg install strongswan-default curl openssl-util
modprobe authenc
</pre>
<p>Generate key and submit using standard shell tools:</p>
<pre>
CN=$(cat /proc/sys/kernel/hostname)
curl {{request.url}}/certificate/ > /etc/ipsec.d/cacerts/ca.pem
openssl genrsa -out /etc/ipsec.d/private/$CN.pem 4096
chmod 0600 /etc/ipsec.d/private/$CN.pem
openssl req -new -sha256 -key /etc/ipsec.d/private/$CN.pem -out /etc/ipsec.d/reqs/$CN.pem -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN"
curl -L -H "Content-Type: application/pkcs10" --data-binary @/etc/ipsec.d/reqs/$CN.pem {{request.uri}}/request/?autosign=yes\&wait=30 > /etc/ipsec.d/certs/$CN.pem.part
if [ $? -eq 0 ]; then mv /etc/ipsec.d/certs/$CN.pem.part /etc/ipsec.d/certs/$CN.pem; fi
openssl verify -CAfile /etc/ipsec.d/cacerts/ca.pem /etc/ipsec.d/certs/$CN.pem
</pre>
<p>
Inspect newly created files:
</p>
<pre>
openssl x509 -text -noout -in /etc/ipsec.d/cacerts/ca.pem
openssl x509 -text -noout -in /etc/ipsec.d/certs/$CN.pem
openssl rsa -check -in /etc/ipsec.d/private/$CN.pem
</pre>
<p>Assuming you have Certidude installed</p>
<pre>
certidude setup client {{request.url}}
</pre>
<p>To set up OpenVPN server</p>
<pre>
certidude setup openvpn server {{request.url}}
</pre>
<p>Or to set up OpenVPN client</p>
<pre>
certidude setup openvpn client {{request.url}}
</pre>
<h1>Pending requests</h1>
<ul>
{% for j in ca.get_requests() %}
<li id="request_{{ j.fingerprint() }}">
<a class="button" href="/api/{{ca.slug}}/request/{{j.common_name}}/">Fetch</a>
{% if j.signable %}
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
{% else %}
<button title="Please use certidude command-line utility to sign unusual requests" disabled>Sign</button>
{% endif %}
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>
<div class="monospace">
{% include 'iconmonstr-certificate-15-icon.svg' %}
{{j.distinguished_name}}
</div>
{% if j.email_address %}
<div class="email">{% include 'iconmonstr-email-2-icon.svg' %} {{ j.email_address }}</div>
{% endif %}
<div class="monospace">
{% include 'iconmonstr-key-2-icon.svg' %}
<span title="SHA-1 of public key">
{{ j.fingerprint() }}
</span>
{{ j.key_length }}-bit
{{ j.key_type }}
</div>
{% set key_usage = j.key_usage %}
{% if key_usage %}
<div>
{% include 'iconmonstr-flag-3-icon.svg' %}
{{j.key_usage}}
</div>
{% endif %}
</li>
{% else %}
<li>Great job! No certificate signing requests to sign.</li>
{% endfor %}
</ul>
<h1>Signed certificates</h1>
<p>You can fetch a certificate by <i>common name</i> signing the request</p>
<pre>
curl -f {{request.url}}/signed/$CN > $CN.crt
</pre>
<ul>
{% for j in ca.get_signed() | sort | reverse %}
<li id="certificate_{{ j.fingerprint() }}">
<a class="button" href="/api/{{ca.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>
<div class="monospace">
{% include 'iconmonstr-certificate-15-icon.svg' %}
{{j.distinguished_name}}
</div>
{% if j.email_address %}
<div class="email">{% include 'iconmonstr-email-2-icon.svg' %} {{ j.email_address }}</div>
{% endif %}
<div class="monospace">
{% include 'iconmonstr-key-2-icon.svg' %}
<span title="SHA-1 of public key">
{{ j.fingerprint() }}
</span>
{{ j.key_length }}-bit
{{ j.key_type }}
</div>
<div>
{% include 'iconmonstr-flag-3-icon.svg' %}
{{j.key_usage}}
</div>
</li>
{% endfor %}
</ul>
<h1>Revoked certificates</h1>
<p>To fetch certificate revocation list:</p>
<pre>
curl {{request.url}}/revoked/ | openssl crl -text -noout
</pre>
<!--
<p>To perform online certificate status request</p>
<pre>
curl {{request.url}}/certificate/ > ca.pem
openssl ocsp -issuer ca.pem -CAfile ca.pem -url {{request.url}}/ocsp/ -serial 0x
</pre>
-->
<ul>
{% for j in ca.get_revoked() %}
<li id="certificate_{{ j.fingerprint() }}">
{{j.changed}}
{{j.serial_number}} <span class="monospace">{{j.distinguished_name}}</span>
</li>
{% else %}
<li>Great job! No certificate signing requests to sign.</li>
{% endfor %}
</ul>
</div>
</body>
<footer>
<a href="http://github.com/laurivosandi/certidude">Certidude</a> by
<a href="http://github.com/laurivosandi/">Lauri Võsandi</a>
</footer>
</html>

13
certidude/templates/openssl.cnf
View File

@ -1,7 +1,7 @@
# You have to copy the settings to the system-wide # You have to copy the settings to the system-wide
# OpenSSL configuration (usually /etc/ssl/openssl.cnf # OpenSSL configuration (usually /etc/ssl/openssl.cnf
[CA_{{slug}}] [CA_{{common_name}}]
default_crl_days = {{revocation_list_lifetime}} default_crl_days = {{revocation_list_lifetime}}
default_days = {{certificate_lifetime}} default_days = {{certificate_lifetime}}
dir = {{directory}} dir = {{directory}}
@ -18,8 +18,8 @@ crlDistributionPoints = {{crl_distribution_points}}
{% if email_address %} {% if email_address %}
emailAddress = {{email_address}} emailAddress = {{email_address}}
{% endif %} {% endif %}
x509_extensions = {{slug}}_cert x509_extensions = {{common_name}}_cert
policy = policy_{{slug}} policy = policy_{{common_name}}
# Certidude specific stuff, TODO: move to separate section? # Certidude specific stuff, TODO: move to separate section?
request_subnets = 10.0.0.0/8 192.168.0.0/16 172.168.0.0/16 request_subnets = 10.0.0.0/8 192.168.0.0/16 172.168.0.0/16
@ -28,10 +28,9 @@ admin_subnets = 127.0.0.0/8
admin_users = admin_users =
inbox = {{inbox}} inbox = {{inbox}}
outbox = {{outbox}} outbox = {{outbox}}
publish_certificate_url = {{publish_certificate_url}} push_server = {{push_server}}
subscribe_certificate_url = {{subscribe_certificate_url}}
[policy_{{slug}}] [policy_{{common_name}}]
countryName = match countryName = match
stateOrProvinceName = match stateOrProvinceName = match
organizationName = match organizationName = match
@ -39,7 +38,7 @@ organizationalUnitName = optional
commonName = supplied commonName = supplied
emailAddress = optional emailAddress = optional
[{{slug}}_cert] [{{common_name}}_cert]
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment keyUsage = nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth extendedKeyUsage = clientAuth

26
certidude/wrappers.py
View File

@ -84,8 +84,8 @@ class CertificateAuthorityConfig(object):
else: else:
return default return default
def instantiate_authority(self, slug): def instantiate_authority(self, common_name):
section = "CA_" + slug section = "CA_" + common_name
dirs = dict([(key, self.get(section, key)) dirs = dict([(key, self.get(section, key))
for key in ("dir", "certificate", "crl", "certs", "new_certs_dir", "private_key", "revoked_certs_dir", "request_subnets", "autosign_subnets", "admin_subnets", "admin_users", "push_server", "database", "inbox", "outbox")]) for key in ("dir", "certificate", "crl", "certs", "new_certs_dir", "private_key", "revoked_certs_dir", "request_subnets", "autosign_subnets", "admin_subnets", "admin_users", "push_server", "database", "inbox", "outbox")])
@ -105,7 +105,7 @@ class CertificateAuthorityConfig(object):
dirs["basic_constraints"] = self.get(extensions_section, "basicConstraints") dirs["basic_constraints"] = self.get(extensions_section, "basicConstraints")
dirs["key_usage"] = self.get(extensions_section, "keyUsage") dirs["key_usage"] = self.get(extensions_section, "keyUsage")
dirs["extended_key_usage"] = self.get(extensions_section, "extendedKeyUsage") dirs["extended_key_usage"] = self.get(extensions_section, "extendedKeyUsage")
authority = CertificateAuthority(slug, **dirs) authority = CertificateAuthority(common_name, **dirs)
return authority return authority
@ -129,13 +129,16 @@ class CertificateAuthorityConfig(object):
def pop_certificate_authority(self): def pop_certificate_authority(self):
def wrapper(func): def wrapper(func):
def wrapped(*args, **kwargs): def wrapped(*args, **kwargs):
slug = kwargs.pop("ca") common_name = kwargs.pop("ca")
kwargs["ca"] = self.instantiate_authority(slug) kwargs["ca"] = self.instantiate_authority(common_name)
return func(*args, **kwargs) return func(*args, **kwargs)
return wrapped return wrapped
return wrapper return wrapper
class CertificateBase: class CertificateBase:
def __repr__(self):
return self.buf
@property @property
def given_name(self): def given_name(self):
return self.subject.GN return self.subject.GN
@ -433,15 +436,14 @@ class Certificate(CertificateBase):
return self.signed <= other.signed return self.signed <= other.signed
class CertificateAuthority(object): class CertificateAuthority(object):
def __init__(self, slug, certificate, crl, certs, new_certs_dir, revoked_certs_dir=None, private_key=None, autosign_subnets=None, request_subnets=None, admin_subnets=None, admin_users=None, email_address=None, inbox=None, outbox=None, basic_constraints="CA:FALSE", key_usage="digitalSignature,keyEncipherment", extended_key_usage="clientAuth", certificate_lifetime=5*365, revocation_list_lifetime=1, push_server=None, database=None): def __init__(self, common_name, certificate, crl, certs, new_certs_dir, revoked_certs_dir=None, private_key=None, autosign_subnets=None, request_subnets=None, admin_subnets=None, admin_users=None, email_address=None, inbox=None, outbox=None, basic_constraints="CA:FALSE", key_usage="digitalSignature,keyEncipherment", extended_key_usage="clientAuth", certificate_lifetime=5*365, revocation_list_lifetime=1, push_server=None, database=None):
import hashlib import hashlib
m = hashlib.sha512() m = hashlib.sha512()
m.update(slug.encode("ascii")) m.update(common_name.encode("ascii"))
m.update(b"TODO:server-secret-goes-here") m.update(b"TODO:server-secret-goes-here")
self.uuid = m.hexdigest() self.uuid = m.hexdigest()
self.slug = slug
self.revocation_list = crl self.revocation_list = crl
self.signed_dir = certs self.signed_dir = certs
self.request_dir = new_certs_dir self.request_dir = new_certs_dir
@ -476,6 +478,10 @@ class CertificateAuthority(object):
else: else:
self.admin_users = set([j for j in admin_users.split(" ") if j]) self.admin_users = set([j for j in admin_users.split(" ") if j])
@property
def common_name(self):
return self.certificate.common_name
@property @property
def database(self): def database(self):
from urllib.parse import urlparse from urllib.parse import urlparse
@ -530,14 +536,14 @@ class CertificateAuthority(object):
return buf return buf
def __repr__(self): def __repr__(self):
return "CertificateAuthority(slug=%s)" % repr(self.slug) return "CertificateAuthority(common_name=%s)" % repr(self.common_name)
def get_certificate(self, cn): def get_certificate(self, cn):
return open(os.path.join(self.signed_dir, cn + ".pem")).read() return open(os.path.join(self.signed_dir, cn + ".pem")).read()
def connect_signer(self): def connect_signer(self):
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect("/run/certidude/signer/%s.sock" % self.slug) sock.connect("/run/certidude/signer/%s.sock" % self.common_name)
return sock return sock
def revoke(self, cn): def revoke(self, cn):