1 # FIXME: more intelligent fault raises
6 Copyright 2007, Red Hat, Inc
9 This software may be freely redistributed under the terms of the GNU
10 general public license.
12 You should have received a copy of the GNU General Public License
13 along with this program; if not, write to the Free Software
14 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18 import SimpleXMLRPCServer
22 from OpenSSL
import crypto
34 from config
import read_config
35 from commonconfig
import CMConfig
37 CERTMASTER_LISTEN_PORT
= 51235
38 CERTMASTER_CONFIG
= "/etc/certmaster/certmaster.conf"
40 class CertMaster(object):
41 def __init__(self
, conf_file
=CERTMASTER_CONFIG
):
42 self
.cfg
= read_config(conf_file
, CMConfig
)
44 usename
= utils
.get_hostname(talk_to_certmaster
=False)
46 mycn
= '%s-CA-KEY' % usename
47 self
.ca_key_file
= '%s/certmaster.key' % self
.cfg
.cadir
48 self
.ca_cert_file
= '%s/certmaster.crt' % self
.cfg
.cadir
50 self
.logger
= logger
.Logger().logger
51 self
.audit_logger
= logger
.AuditLogger()
54 if not os
.path
.exists(self
.cfg
.cadir
):
55 os
.makedirs(self
.cfg
.cadir
)
56 if not os
.path
.exists(self
.ca_key_file
) and not os
.path
.exists(self
.ca_cert_file
):
57 certs
.create_ca(CN
=mycn
, ca_key_file
=self
.ca_key_file
, ca_cert_file
=self
.ca_cert_file
)
58 except (IOError, OSError), e
:
59 print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
63 # open up the cakey and cacert so we have them available
64 self
.cakey
= certs
.retrieve_key_from_file(self
.ca_key_file
)
65 self
.cacert
= certs
.retrieve_cert_from_file(self
.ca_cert_file
)
67 for dirpath
in [self
.cfg
.cadir
, self
.cfg
.certroot
, self
.cfg
.csrroot
]:
68 if not os
.path
.exists(dirpath
):
73 'wait_for_cert': self
.wait_for_cert
,
76 def _dispatch(self
, method
, params
):
77 if method
== 'trait_names' or method
== '_getAttributeNames':
78 return self
.handlers
.keys()
80 # ip = self._this_request
83 # self.audit_logger.log_call(ip, method, params)
85 if method
in self
.handlers
.keys():
86 return self
.handlers
[method
](*params
)
88 self
.logger
.info("Unhandled method call for method: %s " % method
)
89 raise codes
.InvalidMethodException
91 def _sanitize_cn(self
, commonname
):
92 commonname
= commonname
.replace('/', '')
93 commonname
= commonname
.replace('\\', '')
96 def wait_for_cert(self
, csrbuf
):
99 returns True, caller_cert, ca_cert
100 returns False, '', ''
104 csrreq
= crypto
.load_certificate_request(crypto
.FILETYPE_PEM
, csrbuf
)
105 except crypto
.Error
, e
:
106 #XXX need to raise a fault here and document it - but false is just as good
109 requesting_host
= self
._sanitize
_cn
(csrreq
.get_subject().CN
)
112 self
.logger
.info("%s requested signing of cert %s" % (requesting_host
,csrreq
.get_subject().CN
))
113 # get rid of dodgy characters in the filename we're about to make
115 certfile
= '%s/%s.cert' % (self
.cfg
.certroot
, requesting_host
)
116 csrfile
= '%s/%s.csr' % (self
.cfg
.csrroot
, requesting_host
)
118 # check for old csr on disk
119 # if we have it - compare the two - if they are not the same - raise a fault
120 if os
.path
.exists(csrfile
):
121 oldfo
= open(csrfile
)
122 oldcsrbuf
= oldfo
.read()
124 oldsha
.update(oldcsrbuf
)
125 olddig
= oldsha
.hexdigest()
127 newsha
.update(csrbuf
)
128 newdig
= newsha
.hexdigest()
129 if not newdig
== olddig
:
130 self
.logger
.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host
))
131 # XXX raise a proper fault
135 # if we have it, then return True, etc, etc
136 if os
.path
.exists(certfile
):
137 slavecert
= certs
.retrieve_cert_from_file(certfile
)
138 cert_buf
= crypto
.dump_certificate(crypto
.FILETYPE_PEM
, slavecert
)
139 cacert_buf
= crypto
.dump_certificate(crypto
.FILETYPE_PEM
, self
.cacert
)
140 return True, cert_buf
, cacert_buf
142 # if we don't have a cert then:
143 # if we're autosign then sign it, write out the cert and return True, etc, etc
144 # else write out the csr
146 if self
.cfg
.autosign
:
147 cert_fn
= self
.sign_this_csr(csrreq
)
148 cert
= certs
.retrieve_cert_from_file(cert_fn
)
149 cert_buf
= crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cert
)
150 cacert_buf
= crypto
.dump_certificate(crypto
.FILETYPE_PEM
, self
.cacert
)
151 self
.logger
.info("cert for %s was autosigned" % (requesting_host
))
152 return True, cert_buf
, cacert_buf
155 # write the csr out to a file to be dealt with by the admin
156 destfo
= open(csrfile
, 'w')
157 destfo
.write(crypto
.dump_certificate_request(crypto
.FILETYPE_PEM
, csrreq
))
160 self
.logger
.info("cert for %s created and ready to be signed" % (requesting_host
))
165 def get_csrs_waiting(self
):
167 csrglob
= '%s/*.csr' % self
.cfg
.csrroot
168 csr_list
= glob
.glob(csrglob
)
170 hn
= os
.path
.basename(f
)
175 def remove_this_cert(self
, hn
):
176 """ removes cert for hostname using unlink """
178 csrglob
= '%s/%s.csr' % (cm
.cfg
.csrroot
, hn
)
179 csrs
= glob
.glob(csrglob
)
180 certglob
= '%s/%s.cert' % (cm
.cfg
.certroot
, hn
)
181 certs
= glob
.glob(certglob
)
182 if not csrs
and not certs
:
183 # FIXME: should be an exception?
184 print 'No match for %s to clean up' % hn
186 for fn
in csrs
+ certs
:
187 print 'Cleaning out %s for host matching %s' % (fn
, hn
)
188 self
.logger
.info('Cleaning out %s for host matching %s' % (fn
, hn
))
191 def sign_this_csr(self
, csr
):
192 """returns the path to the signed cert file"""
193 csr_unlink_file
= None
195 if type(csr
) is type(''):
196 if csr
.startswith('/') and os
.path
.exists(csr
): # we have a full path to the file
198 csr_buf
= csrfo
.read()
199 csr_unlink_file
= csr
201 elif os
.path
.exists('%s/%s' % (self
.cfg
.csrroot
, csr
)): # we have a partial path?
202 csrfo
= open('%s/%s' % (self
.cfg
.csrroot
, csr
))
203 csr_buf
= csrfo
.read()
204 csr_unlink_file
= '%s/%s' % (self
.cfg
.csrroot
, csr
)
206 # we have a string of some kind
211 csrreq
= crypto
.load_certificate_request(crypto
.FILETYPE_PEM
, csr_buf
)
212 except crypto
.Error
, e
:
213 self
.logger
.info("Unable to sign %s: Bad CSR" % (csr
))
214 raise exceptions
.Exception("Bad CSR: %s" % csr
)
216 else: # assume we got a bare csr req
218 requesting_host
= self
._sanitize
_cn
(csrreq
.get_subject().CN
)
220 certfile
= '%s/%s.cert' % (self
.cfg
.certroot
, requesting_host
)
221 thiscert
= certs
.create_slave_certificate(csrreq
, self
.cakey
, self
.cacert
, self
.cfg
.cadir
)
222 destfo
= open(certfile
, 'w')
223 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, thiscert
))
226 if csr_unlink_file
and os
.path
.exists(csr_unlink_file
):
227 os
.unlink(csr_unlink_file
)
232 # not used yet, trying to figure out a way to get the client ip addr to log -akl
233 class CertmasterXMLRPCRequestHandler(SimpleXMLRPCServer
.SimpleXMLRPCRequestHandler
):
235 self
.server
._this
_request
= (self
.request
, self
.client_address
)
237 SimpleXMLRPCServer
.SimpleXMLRPCRequestHandler
.do_POST(self
)
238 except socket
.timeout
:
240 except (socket
.error
, OpenSSL
.SSL
.SysCallError
), e
:
241 print "Error (%s): socket error - '%s'" % (self
.client_address
, e
)
244 class CertmasterXMLRPCServer(SimpleXMLRPCServer
.SimpleXMLRPCServer
):
245 def __init__(self
, addr
):
246 self
.allow_reuse_address
= True
247 SimpleXMLRPCServer
.SimpleXMLRPCServer
.__init
__(self
, addr
)
250 def serve(xmlrpcinstance
):
253 Code for starting the XMLRPC service.
257 server
= CertmasterXMLRPCServer((xmlrpcinstance
.cfg
.listen_addr
, CERTMASTER_LISTEN_PORT
))
258 server
.logRequests
= 0 # don't print stuff to console
259 server
.register_instance(xmlrpcinstance
)
260 xmlrpcinstance
.logger
.info("certmaster started")
261 xmlrpcinstance
.audit_logger
.logger
.info("certmaster started")
262 server
.serve_forever()
267 cm
= CertMaster('/etc/certmaster/certmaster.conf')
269 if "daemon" in argv
or "--daemon" in argv
:
270 utils
.daemonize("/var/run/certmaster.pid")
275 # just let exceptions bubble up for now
279 if __name__
== "__main__":
280 #textdomain(I18N_DOMAIN)