Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| d1857a8eda | |||
| fd3a88cd79 | |||
|
081b323621 | ||
| 13c106e7b8 | |||
| 073e4274e6 | |||
| 9e3c43588a | |||
|
|
6508ade008 | ||
| 25fe6f36cc | |||
|
|
f7017b9eed |
16
.drone.yml
Normal file
16
.drone.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: default
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: docker
|
||||||
|
image: plugins/docker
|
||||||
|
settings:
|
||||||
|
repo: harbor.k-space.ee/${DRONE_REPO}
|
||||||
|
registry: harbor.k-space.ee
|
||||||
|
mtu: 1300
|
||||||
|
username:
|
||||||
|
from_secret: docker_username
|
||||||
|
password:
|
||||||
|
from_secret: docker_password
|
||||||
@ -6,6 +6,23 @@ from pinecrypt.server.mongolog import LogHandler
|
|||||||
|
|
||||||
logger = LogHandler()
|
logger = LogHandler()
|
||||||
|
|
||||||
|
# Algorithm mappings for pki.js
|
||||||
|
SIGNATURE_ALGO_MAPPING = {
|
||||||
|
"rsassa_pkcs1v15": "RSASSA-PKCS1-v1_5",
|
||||||
|
"ecdsa": "ECDSA",
|
||||||
|
}
|
||||||
|
|
||||||
|
HASH_ALGO_MAPPING = {
|
||||||
|
"sha256": "SHA-256",
|
||||||
|
"sha384": "SHA-384",
|
||||||
|
"sha512": "SHA-512",
|
||||||
|
}
|
||||||
|
|
||||||
|
CURVE_NAME_MAPPING = {
|
||||||
|
"secp256r1": "P-256",
|
||||||
|
"secp384r1": "P-384",
|
||||||
|
"secp521r1": "P-521",
|
||||||
|
}
|
||||||
|
|
||||||
class BootstrapResource(object):
|
class BootstrapResource(object):
|
||||||
@serialize
|
@serialize
|
||||||
@ -30,10 +47,16 @@ class BootstrapResource(object):
|
|||||||
ike=config.get("Globals", "STRONGSWAN_IKE")["value"],
|
ike=config.get("Globals", "STRONGSWAN_IKE")["value"],
|
||||||
esp=config.get("Globals", "STRONGSWAN_ESP")["value"],
|
esp=config.get("Globals", "STRONGSWAN_ESP")["value"],
|
||||||
),
|
),
|
||||||
|
webcrypto=dict(
|
||||||
|
hash_algorithm=HASH_ALGO_MAPPING[authority.certificate.hash_algo],
|
||||||
|
signature_algorithm=SIGNATURE_ALGO_MAPPING[authority.certificate.signature_algo],
|
||||||
|
curve=CURVE_NAME_MAPPING.get(const.CURVE_NAME),
|
||||||
|
),
|
||||||
certificate=dict(
|
certificate=dict(
|
||||||
key_size=const.KEY_SIZE,
|
key_size=const.KEY_SIZE,
|
||||||
curve=const.CURVE_NAME,
|
curve=const.CURVE_NAME,
|
||||||
hash_algorithm=const.CERTIFICATE_HASH_ALGORITHM,
|
hash_algorithm=authority.certificate.hash_algo,
|
||||||
|
signature_algorithm=authority.certificate.signature_algo,
|
||||||
algorithm=authority.public_key.algorithm,
|
algorithm=authority.public_key.algorithm,
|
||||||
common_name=authority.certificate.subject.native["common_name"],
|
common_name=authority.certificate.subject.native["common_name"],
|
||||||
distinguished_name=cert_to_dn(authority.certificate),
|
distinguished_name=cert_to_dn(authority.certificate),
|
||||||
|
|||||||
@ -140,7 +140,7 @@ class RequestListResource(object):
|
|||||||
|
|
||||||
logger.info("Signed %s as %s is whitelisted for autosign", common_name, req.context["remote"]["addr"])
|
logger.info("Signed %s as %s is whitelisted for autosign", common_name, req.context["remote"]["addr"])
|
||||||
return
|
return
|
||||||
except EnvironmentError:
|
except errors.RequestExists:
|
||||||
logger.info("Autosign for %s from %s failed, signed certificate already exists",
|
logger.info("Autosign for %s from %s failed, signed certificate already exists",
|
||||||
common_name, req.context["remote"]["addr"])
|
common_name, req.context["remote"]["addr"])
|
||||||
reasons.append("autosign failed, signed certificate already exists")
|
reasons.append("autosign failed, signed certificate already exists")
|
||||||
|
|||||||
@ -55,7 +55,7 @@ def self_enroll(skip_notify=False):
|
|||||||
return
|
return
|
||||||
|
|
||||||
builder = CSRBuilder({"common_name": common_name}, self_public_key)
|
builder = CSRBuilder({"common_name": common_name}, self_public_key)
|
||||||
builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM
|
builder.hash_algo = certificate.hash_algo # Copy from CA cert
|
||||||
request = builder.build(private_key)
|
request = builder.build(private_key)
|
||||||
|
|
||||||
now = datetime.utcnow().replace(tzinfo=pytz.UTC)
|
now = datetime.utcnow().replace(tzinfo=pytz.UTC)
|
||||||
@ -390,9 +390,7 @@ def sign(profile, skip_notify=False, overwrite=False, signer=None, namespace=con
|
|||||||
builder = CertificateBuilder(cn_to_dn(common_name,
|
builder = CertificateBuilder(cn_to_dn(common_name,
|
||||||
ou=profile["ou"]), csr_pubkey)
|
ou=profile["ou"]), csr_pubkey)
|
||||||
builder.serial_number = generate_serial()
|
builder.serial_number = generate_serial()
|
||||||
|
builder.hash_algo = certificate.hash_algo # Copy hash algorithm from CA cert
|
||||||
if csr["signature_algorithm"].hash_algo == const.CERTIFICATE_HASH_ALGORITHM:
|
|
||||||
builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM
|
|
||||||
|
|
||||||
now = datetime.utcnow().replace(tzinfo=pytz.UTC)
|
now = datetime.utcnow().replace(tzinfo=pytz.UTC)
|
||||||
builder.begin_date = now - const.CLOCK_SKEW_TOLERANCE
|
builder.begin_date = now - const.CLOCK_SKEW_TOLERANCE
|
||||||
|
|||||||
@ -35,13 +35,6 @@ REPLICAS = [j for j in os.getenv("REPLICAS", "").split(",") if j]
|
|||||||
if not MONGO_URI:
|
if not MONGO_URI:
|
||||||
MONGO_URI = "mongodb://127.0.0.1:27017/default?replicaSet=rs0"
|
MONGO_URI = "mongodb://127.0.0.1:27017/default?replicaSet=rs0"
|
||||||
|
|
||||||
# Are set later, based on key type
|
|
||||||
KEY_SIZE = None
|
|
||||||
CURVE_NAME = None
|
|
||||||
|
|
||||||
# python CSRbuilder supports right now sha1, sha256 sha512
|
|
||||||
CERTIFICATE_HASH_ALGORITHM = "sha512"
|
|
||||||
|
|
||||||
# Kerberos-like clock skew tolerance
|
# Kerberos-like clock skew tolerance
|
||||||
CLOCK_SKEW_TOLERANCE = timedelta(minutes=5)
|
CLOCK_SKEW_TOLERANCE = timedelta(minutes=5)
|
||||||
|
|
||||||
@ -104,11 +97,12 @@ AUTHORITY_OCSP_URL = "http://%s/api/ocsp/" % AUTHORITY_NAMESPACE
|
|||||||
AUTHORITY_OCSP_DISABLED = os.getenv("AUTHORITY_OCSP_DISABLED", False)
|
AUTHORITY_OCSP_DISABLED = os.getenv("AUTHORITY_OCSP_DISABLED", False)
|
||||||
AUTHORITY_KEYTYPE = getenv_in("AUTHORITY_KEYTYPE", "rsa", "ec")
|
AUTHORITY_KEYTYPE = getenv_in("AUTHORITY_KEYTYPE", "rsa", "ec")
|
||||||
|
|
||||||
if AUTHORITY_KEYTYPE == "rsa":
|
|
||||||
KEY_SIZE = 4096
|
|
||||||
|
|
||||||
if AUTHORITY_KEYTYPE == "ec":
|
# Key parameter defaults for now
|
||||||
CURVE_NAME = "secp384r1"
|
# Subject to change in future, make sure changing these won't break any existing deployments!
|
||||||
|
KEY_SIZE = 4096 # Key size for RSA based certificates
|
||||||
|
CURVE_NAME = "secp384r1" # Curve name for EC based certificates
|
||||||
|
CERTIFICATE_HASH_ALGORITHM = "sha512" # Certificate hashing algorithm
|
||||||
|
|
||||||
# Tokens
|
# Tokens
|
||||||
TOKEN_URL = "https://%(authority_name)s/#action=enroll&title=dev.lan&token=%(token)s&subject=%(subject_username)s&protocols=%(protocols)s"
|
TOKEN_URL = "https://%(authority_name)s/#action=enroll&title=dev.lan&token=%(token)s&subject=%(subject_username)s&protocols=%(protocols)s"
|
||||||
|
|||||||
@ -22,6 +22,9 @@ class CertidudeLogger(object):
|
|||||||
def debug(self, msg, *args):
|
def debug(self, msg, *args):
|
||||||
self.pre_emit(msg, *args, level="Debug")
|
self.pre_emit(msg, *args, level="Debug")
|
||||||
|
|
||||||
|
def critical(self, msg, *args):
|
||||||
|
self.pre_emit(msg, *args, level="Critical")
|
||||||
|
|
||||||
def pre_emit(self, msg, *args, level):
|
def pre_emit(self, msg, *args, level):
|
||||||
record = LoggerObject()
|
record = LoggerObject()
|
||||||
record.msg = msg
|
record.msg = msg
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user