.drone.yml

@@ -1,16 +0,0 @@
----
-kind: pipeline
-type: kubernetes
-name: default
-
-steps:
-- name: docker
-  image: plugins/docker
-  settings:
-    repo: harbor.k-space.ee/${DRONE_REPO}
-    registry: harbor.k-space.ee
-    mtu: 1300
-    username:
-      from_secret: docker_username
-    password:
-      from_secret: docker_password

pinecrypt/server/api/bootstrap.py

@@ -6,23 +6,6 @@ from pinecrypt.server.mongolog import LogHandler
 
 logger = LogHandler()
 
-# Algorithm mappings for pki.js
-SIGNATURE_ALGO_MAPPING = {
-    "rsassa_pkcs1v15": "RSASSA-PKCS1-v1_5",
-    "ecdsa": "ECDSA",
-}
-
-HASH_ALGO_MAPPING = {
-    "sha256": "SHA-256",
-    "sha384": "SHA-384",
-    "sha512": "SHA-512",
-}
-
-CURVE_NAME_MAPPING = {
-    "secp256r1": "P-256",
-    "secp384r1": "P-384",
-    "secp521r1": "P-521",
-}
 
 class BootstrapResource(object):
     @serialize
@@ -47,16 +30,10 @@ class BootstrapResource(object):
                 ike=config.get("Globals", "STRONGSWAN_IKE")["value"],
                 esp=config.get("Globals", "STRONGSWAN_ESP")["value"],
             ),
-            webcrypto=dict(
-                hash_algorithm=HASH_ALGO_MAPPING[authority.certificate.hash_algo],
-                signature_algorithm=SIGNATURE_ALGO_MAPPING[authority.certificate.signature_algo],
-                curve=CURVE_NAME_MAPPING.get(const.CURVE_NAME),
-            ),
             certificate=dict(
                 key_size=const.KEY_SIZE,
                 curve=const.CURVE_NAME,
-                hash_algorithm=authority.certificate.hash_algo,
-                signature_algorithm=authority.certificate.signature_algo,
+                hash_algorithm=const.CERTIFICATE_HASH_ALGORITHM,
                 algorithm=authority.public_key.algorithm,
                 common_name=authority.certificate.subject.native["common_name"],
                 distinguished_name=cert_to_dn(authority.certificate),

pinecrypt/server/api/request.py

@@ -140,7 +140,7 @@ class RequestListResource(object):
 
                         logger.info("Signed %s as %s is whitelisted for autosign", common_name, req.context["remote"]["addr"])
                         return
-                    except errors.RequestExists:
+                    except EnvironmentError:
                         logger.info("Autosign for %s from %s failed, signed certificate already exists",
                             common_name, req.context["remote"]["addr"])
                         reasons.append("autosign failed, signed certificate already exists")

pinecrypt/server/authority.py

@@ -55,7 +55,7 @@ def self_enroll(skip_notify=False):
             return
 
     builder = CSRBuilder({"common_name": common_name}, self_public_key)
-    builder.hash_algo = certificate.hash_algo # Copy from CA cert
+    builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM
     request = builder.build(private_key)
 
     now = datetime.utcnow().replace(tzinfo=pytz.UTC)
@@ -390,7 +390,9 @@ def sign(profile, skip_notify=False, overwrite=False, signer=None, namespace=con
     builder = CertificateBuilder(cn_to_dn(common_name,
         ou=profile["ou"]), csr_pubkey)
     builder.serial_number = generate_serial()
-    builder.hash_algo = certificate.hash_algo # Copy hash algorithm from CA cert
+
+    if csr["signature_algorithm"].hash_algo == const.CERTIFICATE_HASH_ALGORITHM:
+        builder.hash_algo = const.CERTIFICATE_HASH_ALGORITHM
 
     now = datetime.utcnow().replace(tzinfo=pytz.UTC)
     builder.begin_date = now - const.CLOCK_SKEW_TOLERANCE

pinecrypt/server/const.py

@@ -35,6 +35,13 @@ REPLICAS = [j for j in os.getenv("REPLICAS", "").split(",") if j]
 if not MONGO_URI:
     MONGO_URI = "mongodb://127.0.0.1:27017/default?replicaSet=rs0"
 
+# Are set later, based on key type
+KEY_SIZE = None
+CURVE_NAME = None
+
+# python CSRbuilder supports right now sha1, sha256 sha512
+CERTIFICATE_HASH_ALGORITHM = "sha512"
+
 # Kerberos-like clock skew tolerance
 CLOCK_SKEW_TOLERANCE = timedelta(minutes=5)
 
@@ -97,12 +104,11 @@ AUTHORITY_OCSP_URL = "http://%s/api/ocsp/" % AUTHORITY_NAMESPACE
 AUTHORITY_OCSP_DISABLED = os.getenv("AUTHORITY_OCSP_DISABLED", False)
 AUTHORITY_KEYTYPE = getenv_in("AUTHORITY_KEYTYPE", "rsa", "ec")
 
+if AUTHORITY_KEYTYPE == "rsa":
+    KEY_SIZE = 4096
 
-# Key parameter defaults for now
-# Subject to change in future, make sure changing these won't break any existing deployments!
-KEY_SIZE = 4096  # Key size for RSA based certificates
-CURVE_NAME = "secp384r1"  # Curve name for EC based certificates
-CERTIFICATE_HASH_ALGORITHM = "sha512" # Certificate hashing algorithm
+if AUTHORITY_KEYTYPE == "ec":
+    CURVE_NAME = "secp384r1"
 
 # Tokens
 TOKEN_URL = "https://%(authority_name)s/#action=enroll&title=dev.lan&token=%(token)s&subject=%(subject_username)s&protocols=%(protocols)s"

pinecrypt/server/logger.py

@@ -22,9 +22,6 @@ class CertidudeLogger(object):
     def debug(self, msg, *args):
         self.pre_emit(msg, *args, level="Debug")
 
-    def critical(self, msg, *args):
-        self.pre_emit(msg, *args, level="Critical")
-
     def pre_emit(self, msg, *args, level):
         record = LoggerObject()
         record.msg = msg