scottk/OpenNetworkLinux
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenNetworkLinux.git synced 2025-12-25 17:27:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

PKI Now implemented as part of the OnlMountContext for ONL-CONFIG.

Browse Source
This commit is contained in:
Jeffrey Townsend
2016-05-27 19:44:40 +00:00
parent 96c9f612b8
commit d0e96743da
1 changed files with 48 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
packages/base/all/vendor-config-onl/src/python/onl/pki/__init__.py
View File

@@ -13,83 +13,69 @@ import shutil
import subprocess
import tempfile
import yaml
from onl.mounts import OnlMountManager, OnlMountContextReadOnly, OnlMountContextReadWrite
from onl.sysconfig import sysconfig
from onl.util import *
from onl.mounts import OnlDataStore
class OnlPki(OnlServiceMixin):
"""Initialize the ONL-CONFIG::PKI credentials."""
class OnlPKI(OnlDataStore):
P_DIR='private'
R_DIR='/private'
CONFIG_PKI_DIR="/mnt/onl/config/pki"
PRIVATE_KEY='key.pem'
CERTIFICATE='certificate'
def __init__(self, logger):
self.logger = logger
self.kpath = os.path.join(self.CONFIG_PKI_DIR,
sysconfig.pki.key.name)
KLEN=2048
CDAYS=3650
CSR_FILE='/etc/onl/config/csr.yml'
def __init__(self, logger=None):
OnlDataStore.__init__(self, logger)
self.kpath = os.path.join(self.R_DIR, self.PRIVATE_KEY)
self.cpath = os.path.join(self.R_DIR, self.CERTIFICATE)
def init_cert(self, force=False):
if not os.path.exists(self.cpath) or force:
self.logger.info("Generating self-signed certificate...")
#
# The csr.yml file allows the system integrator to customize
# the fields for the certificate.
#
fdict = {}
try:
fdict = yaml.load(open(self.CSR_FILE))
except Exception, e:
self.logger.error(e);
csr = tempfile.NamedTemporaryFile(prefix="pki-", suffix=".csr", delete=False)
csr.close()
fields = [ "%s=%s" % (k, v) for k,v in fdict.iteritems() ]
subject = "/" + "/".join(fields)
self.logger.debug("Subject: '%s'", subject)
self.logger.debug("CSR: %s", csr.name)
self._execute("""openssl req -new -batch -subj "%s" -key %s -out %s""" % (
subject, self.kpath, csr.name))
self._execute("""openssl x509 -req -days %s -in %s -signkey %s -out %s""" % (
self.CDAYS,
csr.name, self.kpath, self.cpath))
os.unlink(csr.name)
else:
self.logger.info("Using existing certificate.")
self.cpath = os.path.join(self.CONFIG_PKI_DIR,
sysconfig.pki.cert.name)
def init_key(self, force=False):
if not os.path.exists(self.kpath) or force:
self.logger.info("Generating private key...")
cmd = "openssl genrsa -out %s %s" % (self.kpath, self.KLEN)
self._execute(cmd)
self.init_cert(force=True)
else:
self.logger.info("Using existing private key.")
with OnlMountContextReadOnly("ONL-CONFIG", self.logger):
if not os.path.exists(self.kpath) or force:
self.logger.info("Generating private key...")
cmd = "openssl genrsa -out %s %s" % (self.kpath, sysconfig.pki.key.len)
with OnlMountContextReadWrite("ONL-CONFIG", self.logger):
if not os.path.isdir(self.CONFIG_PKI_DIR):
os.makedirs(self.CONFIG_PKI_DIR)
self._execute(cmd)
self.init_cert(force=True)
else:
self.logger.info("Using existing private key.")
def init_cert(self, force=False):
with OnlMountContextReadOnly("ONL-CONFIG", self.logger):
if not os.path.exists(self.cpath) or force:
self.logger.info("Generating self-signed certificate...")
csr = tempfile.NamedTemporaryFile(prefix="pki-", suffix=".csr", delete=False)
csr.close()
fields = [ "%s=%s" % (k, v) for k,v in sysconfig.pki.cert.csr.fields.iteritems() ]
subject = "/" + "/".join(fields)
self.logger.debug("Subject: '%s'", subject)
self.logger.debug("CSR: %s", csr.name)
with OnlMountContextReadWrite("ONL-CONFIG", self.logger):
if not os.path.isdir(self.CONFIG_PKI_DIR):
os.makedirs(self.CONFIG_PKI_DIR)
self._execute("""openssl req -new -batch -subj "%s" -key %s -out %s""" % (
subject, self.kpath, csr.name))
self._execute("""openssl x509 -req -days %s -in %s -signkey %s -out %s""" % (
sysconfig.pki.cert.csr.cdays,
csr.name, self.kpath, self.cpath))
os.unlink(csr.name)
else:
self.logger.info("Using existing certificate.")
def init(self, force=False):
self.init_key(force=force)
self.init_cert(force=force)
self.commit_runtime()
@staticmethod
def main():
ap = argparse.ArgumentParser(description="ONL PKI Management")
ap.add_argument("--init", action='store_true', help="Initialize /private and PKI files if necessary.")
ap.add_argument("--init", action='store_true', help="Initialize PKI files (if necessary)")
ap.add_argument("--regen-cert", action='store_true', help="Regenerate certificate.")
ap.add_argument("--force", "-f", action='store_true', help="Force regeneration of the key and certificate during initialization (--init)")
ap.add_argument("--commit", action='store_true', help="Commit the runtime /private directory to the persistant storage.")
ap.add_argument("--ls", action='store_true', help="List contents of the peristant directory.")
ap.add_argument("--quiet", "-q", action='store_true', help="Quiet output.")
ap.add_argument("--verbose", "-v", action='store_true', help="Verbose output.")
ap.add_argument("--part", help='Override Data Partition (testing only).')
ap.add_argument("--rd", help='Override /private runtime directory (testing only)')
ops = ap.parse_args()
@@ -103,27 +89,10 @@ class OnlPKI(OnlDataStore):
else:
logger.setLevel(logging.INFO)
if ops.part:
OnlPKI.DATA_PARTITION=ops.part
if ops.rd:
OnlPKI.R_DIR=ops.rd
pki = OnlPKI(logger)
pki = OnlPki(logger)
if ops.init:
pki.init_runtime()
pki.init_key(force=ops.force)
pki.init_cert(force=ops.force)
pki.commit_runtime()
elif ops.regen_cert:
pki.init_cert(force=True)
pki.commit_runtime()
elif ops.commit:
pki.commit_runtime()
elif ops.ls:
pki.ls()
else:
pki.diff()