Compare commits

...

9 Commits
dev ... master

Author SHA1 Message Date
d1857a8eda Generalize Drone configuration
All checks were successful
continuous-integration/drone Build is passing
2022-02-09 14:04:44 +02:00
fd3a88cd79 Add Drone config
Some checks failed
continuous-integration/drone Build is failing
2022-02-09 00:08:37 +02:00
Marvin Martinson
081b323621 Merge branch 'dev' 2021-09-30 14:14:48 +00:00
13c106e7b8 Export curve name for WebCrypto 2021-09-29 14:10:55 +03:00
073e4274e6 Move WebCrypto parameters under separate dict 2021-09-29 13:54:49 +03:00
9e3c43588a Catch correct exception in case of duplicate submission 2021-09-29 13:41:28 +03:00
Marvin Martinson
6508ade008 Add critical to log handler 2021-08-23 09:42:03 +00:00
25fe6f36cc Refactor algorithm reporting via /api/bootstrap 2021-08-19 21:39:27 +03:00
Marvin Martinson
f7017b9eed Add specific algorithm version 2021-08-19 10:46:48 +00:00
6 changed files with 51 additions and 17 deletions

16
.drone.yml Normal file
View File

@ -0,0 +1,16 @@
---
kind: pipeline
type: kubernetes
name: default
steps:
- name: docker
image: plugins/docker
settings:
repo: harbor.k-space.ee/${DRONE_REPO}
registry: harbor.k-space.ee
mtu: 1300
username:
from_secret: docker_username
password:
from_secret: docker_password

View File

@ -6,6 +6,23 @@ from pinecrypt.server.mongolog import LogHandler
logger = LogHandler()
# Algorithm mappings for pki.js
SIGNATURE_ALGO_MAPPING = {
"rsassa_pkcs1v15": "RSASSA-PKCS1-v1_5",
"ecdsa": "ECDSA",
}
HASH_ALGO_MAPPING = {
"sha256": "SHA-256",
"sha384": "SHA-384",
"sha512": "SHA-512",
}
CURVE_NAME_MAPPING = {
"secp256r1": "P-256",
"secp384r1": "P-384",
"secp521r1": "P-521",
}
class BootstrapResource(object):
@serialize
@ -30,10 +47,16 @@ class BootstrapResource(object):
ike=config.get("Globals", "STRONGSWAN_IKE")["value"],
esp=config.get("Globals", "STRONGSWAN_ESP")["value"],
),
webcrypto=dict(
hash_algorithm=HASH_ALGO_MAPPING[authority.certificate.hash_algo],
signature_algorithm=SIGNATURE_ALGO_MAPPING[authority.certificate.signature_algo],
curve=CURVE_NAME_MAPPING.get(const.CURVE_NAME),
),
certificate=dict(
key_size=const.KEY_SIZE,
curve=const.CURVE_NAME,
hash_algorithm=const.CERTIFICATE_HASH_ALGORITHM,
hash_algorithm=authority.certificate.hash_algo,
signature_algorithm=authority.certificate.signature_algo,
algorithm=authority.public_key.algorithm,
common_name=authority.certificate.subject.native["common_name"],
distinguished_name=cert_to_dn(authority.certificate),

View File

@ -140,7 +140,7 @@ class RequestListResource(object):
logger.info("Signed %s as %s is whitelisted for autosign", common_name, req.context["remote"]["addr"])
return
except EnvironmentError:
except errors.RequestExists:
logger.info("Autosign for %s from %s failed, signed certificate already exists",
common_name, req.context["remote"]["addr"])
reasons.append("autosign failed, signed certificate already exists")

View File

@ -55,7 +55,7 @@ def self_enroll(skip_notify=False):
return
builder = CSRBuilder({"common_name": common_name}, self_public_key)
builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM
builder.hash_algo = certificate.hash_algo # Copy from CA cert
request = builder.build(private_key)
now = datetime.utcnow().replace(tzinfo=pytz.UTC)
@ -390,9 +390,7 @@ def sign(profile, skip_notify=False, overwrite=False, signer=None, namespace=con
builder = CertificateBuilder(cn_to_dn(common_name,
ou=profile["ou"]), csr_pubkey)
builder.serial_number = generate_serial()
if csr["signature_algorithm"].hash_algo == const.CERTIFICATE_HASH_ALGORITHM:
builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM
builder.hash_algo = certificate.hash_algo # Copy hash algorithm from CA cert
now = datetime.utcnow().replace(tzinfo=pytz.UTC)
builder.begin_date = now - const.CLOCK_SKEW_TOLERANCE

View File

@ -35,13 +35,6 @@ REPLICAS = [j for j in os.getenv("REPLICAS", "").split(",") if j]
if not MONGO_URI:
MONGO_URI = "mongodb://127.0.0.1:27017/default?replicaSet=rs0"
# Are set later, based on key type
KEY_SIZE = None
CURVE_NAME = None
# python CSRbuilder supports right now sha1, sha256 sha512
CERTIFICATE_HASH_ALGORITHM = "sha512"
# Kerberos-like clock skew tolerance
CLOCK_SKEW_TOLERANCE = timedelta(minutes=5)
@ -104,11 +97,12 @@ AUTHORITY_OCSP_URL = "http://%s/api/ocsp/" % AUTHORITY_NAMESPACE
AUTHORITY_OCSP_DISABLED = os.getenv("AUTHORITY_OCSP_DISABLED", False)
AUTHORITY_KEYTYPE = getenv_in("AUTHORITY_KEYTYPE", "rsa", "ec")
if AUTHORITY_KEYTYPE == "rsa":
KEY_SIZE = 4096
if AUTHORITY_KEYTYPE == "ec":
CURVE_NAME = "secp384r1"
# Key parameter defaults for now
# Subject to change in future, make sure changing these won't break any existing deployments!
KEY_SIZE = 4096 # Key size for RSA based certificates
CURVE_NAME = "secp384r1" # Curve name for EC based certificates
CERTIFICATE_HASH_ALGORITHM = "sha512" # Certificate hashing algorithm
# Tokens
TOKEN_URL = "https://%(authority_name)s/#action=enroll&title=dev.lan&token=%(token)s&subject=%(subject_username)s&protocols=%(protocols)s"

View File

@ -22,6 +22,9 @@ class CertidudeLogger(object):
def debug(self, msg, *args):
self.pre_emit(msg, *args, level="Debug")
def critical(self, msg, *args):
self.pre_emit(msg, *args, level="Critical")
def pre_emit(self, msg, *args, level):
record = LoggerObject()
record.msg = msg